According to British security researcher, Jack Whitton, the vulnerability could be exploited through phishing websites designed to harvest login tokens to later compromise user accounts and data. He added that manipulating POST values could be used in attacks which impersonate users of Microsoft products.
Microsoft supports a number of online services, ranging from Outlook email to Azure. When users wish to access these services, they need to input their credentials and a POST request is sent through the wreply value in the domains address, complete with a login token for the user in question. The token is then used and consumed through the login process.
While the token is only valid for the service which issued it, such as Outlook rather than Azure and vice versa, Whitton says it would be a simple matter to create multiple hidden iframes with login URLs set to different services in order to harvest multiple tokens.
Cookies are not used to authenticate as each service is hosted on a separate domain, therefore, only a token is required, and if this value can be punted to an attackers server, the user can be impersonated and the token used to log in as the victim in a cross-site forgery attack.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now