Synack senior security researcher Wesley Wineberg has received US$25,000 from Microsoft for quietly disclosing a bug that allows any Hotmail account to be hijacked.
The cross-site request forgery vulnerability means that any user visiting a malicious page can have their accounts hijacked without further interaction.
The since-patched hole existed in Microsoft Live.com and could have been spun into a dangerous worm, Wineberg says.
"With IMAP and contact book access, a worm could easily email all of a user’s contacts - or at least the ones who use Hotmail, Outlook.com - with something enticing, ILOVEYOU virus -style, and spread to every user who clicks the link," Wineberg says.
"The only prerequisite was that the victim was logged in and had a valid session token in their cookie.
"This CSRF lets me bypass the user interaction step of the OAuth authentication system."
Wineberg created a proof-of-concept application that could hijack sessions and showcased it in a video.
He says the vulnerability is merely a "classic" cross-site request forgery that happens to exist in a critical authentication area.
The hacker says Microsoft's other APIs encountered in regular login appear secure. ®