CyberArk’s researchers discovered vulnerability in the Microsoft OAuth 2.0 applications. The identified flaw has the chance to allow attackers to hijack Azure accounts. Eventually, the bug was fixed by Microsoft and security researchers stated that unsuspecting victims could’ve easily given access to their online accounts because of this vulnerability. Account tokens allow users to access their account without the need to enter passwords repeatedly, but the bug in the login system allowed cyberperps to steal account tokens from users. The tokens are created by websites and applications whenever the user logs in, and this keeps the users continuously logged into their accounts. Israel based CyberArk is a cybersecurity company that identified the loophole left by Microsoft.
Many unregistered subdomains that were connected to the application were built by Microsoft; this was found in the research by CyberArk. In-house apps are known to be secured and highly trusted, so the subdomain generates access tokens without the need for explicit consent. Attackers have all the subdomains in their hands, and all they wanted was the user to click on a crafted link in the email to steal the token. Microsoft’s spokesperson stated that the issue was fixed, and the customers will remain protected.