British researcher Jack Whitton has reported a Microsoft account hijacking authentication bug that would have been another arrow in an attacker’s phishing quiver, save for the fact that Microsoft fixed it.
Whitton quietly reported the flaw to Microsoft which pounced and took only two days to process and patch the flaw.
The flaw meant attackers would have been able to set up phishing sites for Microsoft assets like Outlook and then capture tokens which could then be used through manipulated POST data to log into accounts.
Original Source: The Register
View the full story here