Researcher nets $13K for Microsoft auth vulnerability

U.K. researcher nets $13K in Microsoft bug bounty for authentication vulnerability.
U.K. researcher nets $13K in Microsoft bug bounty for authentication vulnerability.

U.K.-based security researcher Jack Whitton netted a $13,000 bug bounty from Microsoft for finding a serious authentication vulnerability affecting Outlook, Azure, and Office accounts.

Whitton discovered that Microsoft's authentication system was vulnerable to cross-site request forgery (CSRF) attacks, which could allow an attacker to obtain login tokens for the accounts and impersonate a user, according to an April 3 blog post he penned detailing the attack.

“Despite CSRF bugs not having the same credibility as other bugs, when discovered in authentication systems their impact can be pretty large,” he wrote.

Whitton said the vulnerability is similar to a CSRF issue that Synack Senior Security Research Engineer Wesley Wineberg reported last year except the flaw was is in the main Microsoft authentication system rather than the OAuth approval prompt.

Microsoft patched the vulnerability in January 2016 within two days of being notified. 

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS