Microsoft has fixed a vulnerability in its login system which could be used to hijack user accounts.
Cybersecurity company CyberArk found that Microsoft had left its systems vulnerable by allowing malicious parties to steal account tokens.
These tokens are usually used to let users stay logged into websites and access third-party apps or websites without using their passwords.
However, in research shared with TechCrunch, CyberArk found that there were numerous unregistered subdomains that were connected to Microsoft apps and were categorised as highly trusted.
If a malicious party could trick a user into clicking a crafted link to one of these subdomains, the malicious party could then steal one of the user’s access tokens.
CyberArk found that access tokens could be stolen in some cases with almost no user interaction – by simply using a malicious website that hides an embedded webpage.
This would achieve the same result as getting someone to click on a link in a malicious email.
The flaw was reported to Microsoft in October 2019 and was fixed three weeks later.
“We resolved the issue with the applications mentioned in this report in November and customers remain protected,” a Microsoft spokesperson told TechCrunch.