Microsoft's accounts were accessible by a bug hunter residing in India who was able to take over the success.office.com subdomain because it wasn't configured properly, reported TechCrunch.
According to the report, Sahad NK, a bug hunter based in India, was able to take over success.office.com and control any data that was sent to it. What's more, NK told TechCrunch that he discovered that Microsoft Office, Store and Sway apps could also be hijacked, sending authenticated login tokens to his domain instead of Microsoft.
In order for the scam to work a user clicks on a link sent via email and then logs in via Microsoft's login system with his two-factor security token, providing his own username and password. The URL link was made by NK in a way that it instructs Microsoft's login system to send the account token to NK. If NK was a hacker, he would have the ability to put untold accounts at risk to a breach, noted TechCrunch. The malicious URL appears legitimate because the user is still logging in through Microsoft's systems, noted the report.
NK reported the vulnerability to Microsoft, which fixed it, according to the report. “The Microsoft Security Response Center mitigated the case in November 2018,” a Microsoft spokesperson confirmed in an email to TechCrunch. TechCrunch noted that Microsoft paid NK a bounty for his findings.
In July Microsoft announced a new bounty program in which the software giant committed to paying hackers anywhere from $500 to $100,000 for hacking its digital identity services. In a blog post at the time, Microsoft said it has invested a lot in the security and privacy of consumers and enterprise identity solutions and wants to ensure its systems are secure. Microsoft said at the time that it will pay a premium on security research into digital identity services for both consumers and enterprises.