400 million Office 365 accounts were vulnerable to hack

A misconfigured Microsoft subdomain seems to have exposed the accounts of 400 million Office 365 users to a possible acquisition. That’s what security researchers report, who found out that Microsoft hadn’t properly secured a subdomain of Office.com.

The error was discovered and reported by the Indian security investigator and Microsoft-bughunter Sahad Nk. He found out that the success.office.com subdomain was not properly set up and that the right measures had not been taken. This made it possible to intercept all data passing through the domain.

Misdirect subdomain

The TechCrunch site reports that Nk was able to divert traffic from the subdomain to a remote server. This made it relatively easy for him to intercept all the data that went through the subdomain. He could use his own Microsoft account to take over the subdomain.

Because Nk was able to do so, an error was immediately exposed in Microsoft’s OAuth checks. TechCrunch reports that the Microsoft Office, Store and Sway apps could be misled and that authenticated login tokens were sent to Nk’s domain. The errors were reported to Microsoft, which immediately resolved them. Microsoft has therefore paid Nk the bug bounty for his work.

Already solved

Due to the problems, all Office 365 accounts were exposed to a possible takeover. It was also about business accounts. In addition, e-mails, documents and other files were also exposed to the problems. In the meantime, however, the problem has already been solved and it seems that no one has abused the errors.

The bug was fixed in November, Microsoft confirms. The Microsoft Security Response Center solved the issue in November 2018, so the problem is over and there are no more accounts in danger. Microsoft only needed to change a number of domain references in order to solve the problems.