Almost six months it took Microsoft to correct two vulnerabilities that have put our data at risk
When we talk about security on our computers, we always think of the router as the first point we should monitor. We worry about controlling security in our environment but what happens when it does not depend on us? If the failure is given by the companies that provide us with little services we can do.
We refer again to the security of our equipment and again due to a failure originated in large companies. If recently it was Google that announced an error that had put the security of millions of users at risk, now it is Microsoft that has communicated that the data of users of Outlook, Microsoft Storeā¦ have been exposed to possible attacks
An error in the domain success.office.com may have put Microsoft users at risk. This is what the researcher Sahad Nk for Safety Detective has discovered, who has brought to light two vulnerabilities that have caused everything from our Office documents to Outlook emails to be threatened.
Apparently, it discovered that the aforementioned domain was not configured correctly A bug that allowed a web application to be configured from Azure pointing to the CNAME record of the domain, to map domain aliases and subdomains to the main domain. This allowed him to take full control of the domain and, above all, and what is most important, to have access to all the data that was sent.
"At that time a second security breach was echoedSince Microsoft applications send authenticated login tokens to the subdomain http://success.office.com, at the time a user was logged in in some application, his data was sent to Sahad&39;s server. And all this without the users being aware of it."
We now know about the existence of these two vulnerabilities, which have already been fixed by Microsoft The worrying thing is the time in which that these have remained active, the data may have been at risk. The errors were communicated in June and have been solved in November, so they have been active for almost 6 months.
Source | Safety Detective