back to article Outlook.com had classic security blunder in authentication engine

Synack senior security researcher Wesley Wineberg has received US$25,000 from Microsoft for quietly disclosing a bug that allows any Hotmail account to be hijacked. The cross-site request forgery vulnerability means that any user visiting a malicious page can have their accounts hijacked without further interaction. The since …

  1. Tim 11

    surely they knew already??

    Anyone with friends that still use hotmail will regularly get spam coming from those people with links to dodgy web sites. This flaw has been very obvious and actively exploited for at least 10 years.

    I only twigged it as a simple XSS attack last year when my gf clicked on one of the links and we noticed a load of spam messages appear in her sent items. If there was anyone inside MS with the remotest interest in hotmail security they could have found and fixed this flaw years ago and saved all of us a lot of grief.

  2. P. Lee Silver badge

    Here's a question:

    Does this class of flaw disappear if you use an IMAP client rather than an HTTP client?

    Does an inappropriate obsession with HTTP cause problems that simply don't need to exist?

    We allow HTTP/S out through corporate firewalls as a matter of course. Why not IMAP? Indeed, is outbound filtering of SMTP really so hard that we shut down outbound SMTP except from corporate servers? Can we not apply behavioural policies such as rate-limiting and SMTP authentication so that we don't force people into using inappropriate web interfaces?

    I received an email with plain text and html formatting the other day. The plain text was 3k and the html was 12k. That's a 300% capacity penalty and a whole slew of security issues you don't need.

    /grump

    1. Ben Liddicott

      Re: Here's a question:

      Yes, we allow HTTP/S, but we (I hope) forbid anyone from using a personal email account or file-sharing site without a valid work reason. GMail from HTTPS should be blocked, so there is no reason to allow GMail IMAP.

      It's called data protection law - we have to take measures to prevent rogue employees stealing data. That's why your work web proxy has content filtering.

      Don't use work computers for personal use, people.

      1. Anonymous Coward
        Anonymous Coward

        Re: Here's a question:

        It's called data protection law - we have to take measures to prevent rogue employees stealing data.

        You do understand that in most countries, that isnt what data protection laws are about, dont you?

        1. Ben Liddicott

          Re: Here's a question:

          Well I'm really only talking about the EU and the UK in particular, since that's where I live and work. What are you talking about?

          For example in the UK it's DPA Schedule 1, s7:

          Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

          In other words, confidentiality and integrity must be protected, which requires protections against rogue employees stealing data.

          1. Anonymous Coward
            Anonymous Coward

            Re: Here's a question:

            In other words, confidentiality and integrity must be protected, which requires protections against rogue employees stealing data.

            not any or all company data, the law only gives a shit about personal data and it is a very, very important distinction.

            Missing out the word "personal" makes it ambiguous at best. The DPA really doesnt care about a rogue employee stealing any other form of data.

        2. Lee D Silver badge

          Re: Here's a question:

          I have to agree - this is EXACTLY what data protection laws are for.

          To stop your data wandering off because a rogue employee left a company that was storing it.

          To stop your data being sold off to the highest bidder against your will.

          To stop your data becoming front-page news because the ISP got a virus, etc.

          To stop your data being shown on the receptionist's screen and visible to all for no good reason when you walk in for your business appointment.

          Not a technical measure, but a legal one which is generally enforced by technology.

          I work in schools. In my workplace, I ban anything USB being plugged in. More for viruses (as they are a data protection nightmare, and a nuisance), but also so you can't just copy kids data, take it home, drop the stick somewhere and little-johnny-who's-son-of-a-celebrity has his home phone number put on Twitter.

          We also filter web access for child protection and for data protection reasons. You shouldn't be using GMail/Yahoo/whatever for business purposes, so access to them is monitored, recorded, filtered, etc.

          Data Protection is EXACTLY this. Stopping data getting into the hands of someone who DOES NOT NEED IT. That's the entire purpose of data protection. Theoretically, even allowing someone access to a password which could - in theory - let them access data they have no need for in their job is a data protection violation. Read the law, then come back.

          This is EXACTLY what Data Protection is.

          1. Joe Drunk
            Windows

            Re: Here's a question:

            @Lee D:

            Those data protection measures were standard policy at all but a few corporate environments I've worked for. Surprising to see them implemented in education sector. In my experience they were the most lax in this regard (USB drives widely used by students/staff as well as Gmail/Hotmail/Yahoo etc.). Some websites were blocked but the students easily bypassed the blacklists via vastly available free proxies.

            1. Lee D Silver badge

              Re: Here's a question:

              Data protection legislation in the UK applies to ALL data-handling entities.

              Schools.

              Charities.

              Hospitals.

              Businesses.

              Large multinationals.

              It does not distinguish.

              And for a while there's been personal liability, so *I* can go to jail for allowing it to happen, or a teacher/nurse can go to jail by being an idiot with someone's data. Additionally, even cloud-providers have to be vetted and there is government advice to schools regarding who is compliant (Google, Microsoft, DropBox) and who is not (Apple).

              Not saying that all schools do this, but if they don't they are liable to join the endless list of hospitals and schools being fined up to hundreds of thousands of pounds for the simplest of breaches.

              This has been the case since the 90's at least.

          2. Anonymous Coward
            Anonymous Coward

            Re: Here's a question:

            "You shouldn't be using GMail/Yahoo/whatever for business purposes"

            As a consultant / contractor I've worked on so many projects with so many legal entities that I simplified my business life with combining all my email comms under a me@outlook.com account. It's secure and I have Office 365 and OneDrive all connected to it. Now, you are still operating as a dinosaur and not only do you apparently disapprove of me but also probably block me. Fuck Off and learn how to deal with the real world.

            1. Lee D Silver badge

              Re: Here's a question:

              Sorry, but we cannot do that.

              The data on the system has to be protected. You dealing with it via a personal account that we do not control is actually ILLEGAL for certain data, without proper documentation, contracts and hand-off.

              Just because it's "convenient" for you does not mean it's legal for us.

              Hence, you will be blocked. Absolutely. And, were you a member of staff, going through a disciplinary procedure for exposing the employer to Data Protection convictions. As a contractor, you may just have your contract cancelled on the spot for doing so.

              This is not OUR doing. This is the DPA, how it's worded, how it's applied, and the existing case law. Which gives ME personal liability for YOUR access to OUR data. If you don't want to play ball, then you don't get access. That's the long and short of it.

              I will not be fined or jailed for YOUR arrogance with our data. And, yes, that is a possibility nowadays. Hospitals, schools and companies have tried to push the "But it was our contractor" defence and ended up being fined into oblivion. Put me at risk of that, and I will just shut down your access.

          3. PrivateCitizen

            Re: Here's a question:

            I have to agree - this is EXACTLY what data protection laws are for.

            Only if you mean "personal data" rather than "data."

            If you ignore this distinction, then things are going wrong.

  3. Ben Liddicott

    "Since fixed" => Past tense needs to be used

    allows -> allowed

    means -> meant

    can -> could

  4. Anonymous Coward
    Anonymous Coward

    Nice bug bounty

    25k is a nice figure to net for discovering a bug. Other companies argue for as long as it takes the white hat to just give up and say "fuck it, not worth discussing over $200 forever..."

    Kudos to M$ for paying a decent sum.

    (Disclaimer: I am not a fan of M$ at all, but credit where credit is due.)

    1. dogged

      Re: Nice bug bounty

      Especially since the article states he's "Synack senior security researcher Wesley Wineberg" so he presumably just got a $25K bonus as well as getting paid for doing his job.

  5. People's Poet

    Being a whitehat does pay!! Instead of trying to extort money from people, it's a pity more don't take this approach. It's also kudos to Microsoft for paying this person for "fixing" the issue.

  6. something_or_another
    WTF?

    Other than Devs......

    ..... does anyone wonder why MS paid $25K to someone that found a Dev 101 flaw that their DUMB FUCK DEVs don't understand?

    Offshore, or whatever you call bringing low $$$ "talent" (puke) here to write shit code, and you get XSS? What a bunch of बकवास

    1. Ben Liddicott

      Re: Other than Devs......

      Writing secure code is hard.

      Someone who thinks only "dumb" developers produce security bugs is overconfident, and is not the right person for the job.

      1. dogged

        Re: Other than Devs......

        > Someone who thinks only "dumb" developers produce security bugs is overconfident, and is not the right person for the job an idiot.

        FTFY.

  7. Alun Jones 1

    Don't read the headline, read the article.

    Seriously, did any of you read the actual article?

    Or even more unusual, click through the links to the source material?

    This was NOT an XSS attack. There is no XSS component described in the source material or the article itself. ONLY in the headline.

    So, no, Microsoft didn't just pay $25K for someone to find an XSS attack.

    To Tim 11: Your gf got hacked because she used a stupid password, or was keylogged, or uses the same password at Ashley Madison. The hackers are in her account. The only reason they haven't changed her password for her is that they want her to send non-spam emails so their spam can evade filters.

    To P. Lee: Your use of a different client is a relatively good idea, but you would then have to avoid using the web client even once in a poisoned environment. We do rely overly much as an industry on "HTTPS will protect us / HTML and JavaScript are the engines of choice", and that's often the cause of our downfall. If the suggested fix to a security problem is to know where it lies and avoid it, the effort involved in doing so is more than actually fixing the underlying bug.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019