[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Advisory: Insufficient Parameter Sanitization in login.live.com (Microsoft)
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Advisory: Insufficient Parameter Sanitization in login.live.com (Microsoft)
- From: securityresearch@xxxxxxxxxxx
- Date: Mon, 21 Sep 2015 12:38:58 GMT
Original at:
http://securityresearch.shaftek.biz/2015/09/insufficient-parameter-sanitization-login-live-com.html
Overview
Web widgets hosted by Microsoft?s online login portal, login.live.com, do not
perform sufficient parameter sanitization allowing an attacker to inject
arbitrary text.
Background
Microsoft offers several legacy Javascript widgets that are used to display and
customize sign-in link and buttons using Windows Live ID. They are hosted on
login.live.com at the following URLs:
https://login.live.com/controls/WebAuth.htm
https://login.live.com/controls/WebAuthButton.htm
https://login.live.com/controls/WebAuthLogo.htm
They are documented by Microsoft here and accept several parameters that are
used to customize the resulting widget.
Details
One of the parameters, style, is used to pass in CSS styling commands for the
Javascript widgets described above. However, this parameter is not sanitized,
and reflects back the information passed to to it via Javascript's alert()
method. It can be coerced to reflect arbitrary text of the attacker?s choosing,
making it seemingly appear on a legit Microsoft website. While this does not
result in script execution, it can be used as part of a social engineering
campaign to attack users.
Example URL with malicious content:
https://login.live.com/controls/WebAuth.htm?appid=test&style=Please_call_Microsoft_Support_at_1-800-BAD-GUYS_and_provide_your_username_and_password:t
References
MSRC Case # 30838 / TRK # 0189016
Microsoft Sign-in Link API:
https://msdn.microsoft.com/en-us/library/bb676638.aspx
Credits
Thank you to Grier Forensics for providing advice.
Bounty Information
This discovery qualified for a security bounty under the terms of Microsoft's
Online Services Bug Bounty program.
Timeline
2015-08-06: Vendor notified
2015-08-06: Initial vendor response
2015-08-11: Vendor replicated the issue
2015-08-31: Fix deployed by vendor
2015-09-17: Bounty received
2015-09-21: Public disclosure
Version Information
Version 2
Last updated on 2015-09-20