Security researcher gets $24k in reward money from Microsoft for Hotmail hack
A security researcher was able to pull out a $24,000 in reward money from Microsoft for successfully hacking its Hotmail email service and finding a cross-site request forgery (CSRF) exploit that could allow a hacker take control of an official account. By doing so, he added himself to the increasing numbers of people making thousands in bug bounties.
Wesley Wineberg has blogged about his efforts on the Synack Labs website. He has been recognised by Microsoft in its official hall of fame of award winners for his help in protecting its online services. According to Microsoft, his work was celebrated between June and July 2015 and before. However, the amount of the reward has not been listed by Microsoft.
Wineberg started his research by analysing how an attack on Hotmail, now known as Outlook.com, would start. He began looking at the login process that runs on the server “login.live.com” and found there are “a lot of places that something could go wrong.” He said that there are problems with the OAuth authentication services.
Wineberg said that he was able to carry out his attacks because of the way the account authentication system links to other applications.
Wineberg did some research in Microsoft’s Live APIs and he discovered that a flaw in Microsoft’s token generation code meant he could gain access to user permission that would allow them to use their account in an app without them ever clicking “Yes” in the confirmation box that is usually displayed.
To test things, he then created an “evil” app to get permissions to download email from a user’s account. He was able to exploit which allowed him to dump the contents of a user’s inbox to a website without them ever giving permission for the app to use their account.
Speaking of his discovery, Wineberg said: “”As an outside tester I have no idea how long this vulnerability may have existed, or if anyone ever tried to exploit it. At the same time, it is findings like this that definitely show the value of allowing outside testers to submit vulnerabilities to your company before attackers leverage them against you.””
After Wineberg alerted Microsoft regarding the issue, the Redmond company was quick to respond and fix the issue. While he praised the attitude of Microsoft towards its security, he also warned that any organisation operating at scale should be ready to find problems in their software.
He wrote: “”Microsoft is far ahead of most companies when it comes to security, and yet are still susceptible to issues like this one. Synack’s experience has been that vulnerabilities are uncovered even in seemingly well secured systems when a large group of outside researchers test that system. That is essentially the premise that Synack operates on, and is why more and more companies are offering their own bounty programs.””
As the spoofed consent form applied to the user’s entire Microsoft account, a hacker could have requested permissions to gain access to any of the available features, including contacts and calendar appointments.
On August 23, Wineberg completed his proof of concept attack and reported it to Microsoft on August 25. Six days later, the issue was acknowledged and Wineberg received $24,000 on September 15, in part due to a double bounty promotion that Microsoft was running at the time.