Outlook.com had classic security blunder in authentication engine

Synack senior security researcher Wesley Wineberg has received US$25,000 from Microsoft for quietly disclosing a bug that allows any Hotmail account to be hijacked.

The cross-site request forgery vulnerability means that any user visiting a malicious page can have their accounts hijacked without further interaction.

The since-patched hole existed in Microsoft Live.com and could have been spun into a dangerous worm, Wineberg says.

"With IMAP and contact book access, a worm could easily email all of a user’s contacts - or at least the ones who use Hotmail, Outlook.com - with something enticing, ILOVEYOU virus -style, and spread to every user who clicks the link," Wineberg says.

"The only prerequisite was that the victim was logged in and had a valid session token in their cookie.

"This CSRF lets me bypass the user interaction step of the OAuth authentication system."

Wineberg created a proof-of-concept application that could hijack sessions and showcased it in a video.

He says the vulnerability is merely a "classic" cross-site request forgery that happens to exist in a critical authentication area.

The hacker says Microsoft's other APIs encountered in regular login appear secure. ®