How I hacked 40,000 user accounts of Microsoft using 2FA bypass(outlook.live.com).

Web.archive.org is my favourite tool and so I thought to choose outlook.live.com to make my target component.

Microsoft Outlook is a personal information manager from Microsoft, available as a part of the Microsoft Office suite. Although often used mainly as an email application, it also includes a calendar, task manager, contact manager, note taking, journal, and web browsing.

It can be used as a stand-alone application, or can work with Microsoft Exchange Server and Microsoft SharePoint Server for multiple users in an organization, such as shared mailboxes and calendars, Exchange public folders, SharePoint lists, and meeting schedules. Microsoft has also released mobile applications for most mobile platforms, including iOS and Android. Developers can also create their own custom software that works with Outlook and Office components using Microsoft Visual Studio. In addition, Windows Phone devices can synchronise almost all Outlook data to Outlook Mobile.

This is more secured platform used by million of users on daily basis at corporate and personal use level.

When I was searching for archived directories in web.archive.org, it suddenly strikes with some common parameter like below:

/owa/username@hotmail.com/

and then my second step is to check that whether these username are expired one or active users, when put the first username, it gives me link that username is valid and redirected to password page. I tried many attempts to reset the password but no success. Then I tried one last option “I do not have any of these”. Afterwards you will redirected to next page where it will ask you to send the authentication code in any mail id.

Now you have valid Microsoft username and your valid email id to receive the authentication code.

At last I got the below authentication code:

Microsoft account

Password reset code:

Please use this code to reset the password for the Microsoft account go*****@gmail.com.

Here is your code: 0470572

If you don’t recognise the Microsoft account go*****@gmail.com, you can click here to remove your email address from that account.

Thanks,

The Microsoft account team

I simply put the authentication code and redirected to security question where I need to answer very basic question, this is below screenshot and half of the information, you can get from username and other from social engineering.

One can easily bypass these scenarios and I found more than 40,000 active users through waybackurls utility when I asked the Microsoft security team to reset the password for any active users, hence they did not allow me to do so and created their test accounts to allow me to reset their passwords. This is very basic security questionnaire, if you can compare with Google account recovery page, as they have put it over there and one can easily bypass it.

When I asked to Microsoft security team that this is high critical bug and impacted large number of Microsoft users and simply ignored. This is below reply got from Microsoft.

Microsoft Reply:

Hello Vartul

As stated earlier, these are not password reset codes, but just the codes to check if the email provided is valid. These cannot be used to reset password. Also, once the email has been confirmed, an attacker needs to provide verification information about the account for resetting password. That information is then verified. The attack mentioned in the report is not a security bypass.

Please let me know if you have more questions. We have closed the case.

Thanks

MSRC

Reproducing Steps:

  1. Go to below URLs and pick all emails and collect it one tex file.

2. Collect it all emails which contains all emails after /owa/evangelinedobney@hotmail.com/ in this pattern.

3. All URL’s, I have collected from web.archive.org.

4. Let collect the six emails and try to exploit it.

evangelinedobney@hotmail.com — → can reset the password for this account.

evanieves269@msn.com — — → can reset the password for this account also.

evaserio@hotmail.it — — — ->can reset the password for this account also.

evuong@hotmail.com — — →can reset the password fo this account also.

explicitsoundz@hotmail.com — →can reset the password fo this account also.

fernandosoares121253@hotmail.com — ->last one access code I received and can reset the password for it.

5. I got the 6 mails and let try to show in video how to exploit it. I will take email id one by one.

6. Go to https://outlook.live.com, lets make the video.

7. From video, it has been clearly shown that I can able to reset the password for any user mail mentioned in below mails.

here is below video link for more description:

https://www.youtube.com/watch?v=mzxX1h9sG9Y