× Welcome to SGCyberSecurity forum!

Feel free to discuss any topics relating to cybersecurity with the rest of the security community in this forum.

Topic-icon Microsoft login.live.com Arbitrary Text Injection

54 years 9 months ago #1039 by o_misslynn

So is it fixed already?

Please Log in or Create an account to join the conversation.

54 years 9 months ago #1052 by o_icemanssl22

Yes. But they usually break something on the way. Can revisit the codes and discovery the soft spot.

Please Log in or Create an account to join the conversation.

54 years 9 months ago #1061 by o_cyberfox123

wonder how much is the bounty. hehe. ?ÿ:)

Please Log in or Create an account to join the conversation.

9 years 3 weeks ago #1034 by o_icemanssl22

Original at:
securityresearch.shaftek.biz/2015/09/ins...-login-live-com.html

Overview
Web widgets hosted by MicrosoftŸ??s online login portal, login.live.com, do not perform sufficient parameter sanitization allowing an attacker to inject arbitrary text.

Background
Microsoft offers several legacy Javascript widgets that are used to display and customize sign-in link and buttons using Windows Live ID. They are hosted on login.live.com at the following URLs:

login.live.com/controls/WebAuth.htm
login.live.com/controls/WebAuthButton.htm
login.live.com/controls/WebAuthLogo.htm

They are documented by Microsoft here and accept several parameters that are used to customize the resulting widget.

Details
One of the parameters, style, is used to pass in CSS styling commands for the Javascript widgets described above. However, this parameter is not sanitized, and reflects back the information passed to to it via Javascript's alert() method. It can be coerced to reflect arbitrary text of the attackerŸ??s choosing, making it seemingly appear on a legit Microsoft website. While this does not result in script execution, it can be used as part of a social engineering campaign to attack users.

Example URL with malicious content:

login.live.com/controls/WebAuth.htm?appi...rname_and_password:t

References
MSRC Case # 30838 / TRK # 0189016
Microsoft Sign-in Link API: msdn.microsoft.com/en-us/library/bb676638.aspx

Credits
Thank you to Grier Forensics for providing advice.

Bounty Information
This discovery qualified for a security bounty under the terms of Microsoft's Online Services Bug Bounty program.

Timeline
2015-08-06: Vendor notified
2015-08-06: Initial vendor response
2015-08-11: Vendor replicated the issue
2015-08-31: Fix deployed by vendor
2015-09-17: Bounty received
2015-09-21: Public disclosure

Version Information
Version 2
Last updated on 2015-09-20

Please Log in or Create an account to join the conversation.