Email is, perhaps, the most hopelessly insecure of all web apps. For individuals and businesses it can be a nightmare attempting to keep hackers out of inboxes. This summer, Wesley Wineberg, a security researcher at Synack, found that to be all too true, discovering a bug affecting all services running over Microsoft’s Live.com, allowing malicious hackers to gain access to a user’s entire Outlook account.
Admittedly, there was plenty of trickery involved. Wineberg first analysed the way in which Outlook allowed other apps to access it, using a standard set of authentication code known as OAuth. He discovered he could create an “evil app” containing an OAuth bypass, only needing to trick a user to visiting a website and they would effectively grant that naughty software access to everything in their account.
But for most hackers, this kind of vulnerability, known as across-site request forgery (CSRF), is all too common across the web. Typically, these attacks end as soon as the legitimate user logs out, but in the case of Outlook anyone abusing Wineberg’s vulnerability would have permanent access to the account, Wineberg said.
Most concerning of all, it could have been abused to create a nasty email worm, he added. “The real danger of this vulnerability is that it would be very easy to turn into the classic email worm of decades past. After the first victim is compromised, this vulnerability could be used to email every one of their contacts with a link that would then compromise those users’ accounts as well,” Wineberg noted, providing the below footage of his attack to FORBES.
“This really is just a classic CSRF vulnerability. The only thing that’s surprising about it is that it’s in a critical authentication system which ultimately can be used to take over any user’s account,” he added in a Synack blog post.
Microsoft fixed the bug in mid-September, paying out a whopping $24,000 to Wineberg for that vulnerability alone as part of the tech titan’s bug bounty program. As he was doing the research in his own time, Wineberg kept all the money rather than handing it over to his employer.
Just earlier this week, researchers highlighted more problems in Outlook, though affecting business users. Israeli company Cybereason discovered a malicious DLL loaded into the Outlook Web App (OWA) server, the webmail part of Microsoft Exchange Server, hosted by one of its clients. That DLL file was able to install a backdoor on the OWA server and wait for users to sign in, hoovering up their usernames and passwords as they did.
By its very definition, OWA has a wide attack surface, effectively acting as a route from the outside internet, past the firewalls and into the internal network, Cybereason noted. Where companies configure OWA to let remote workers in, they’re risking letting hackers in too.
Even those bidding for better webmail security, such as the PGP encryption service ProtonMail, can’t offer total protection, especially not from sophisticated hackers and web attacks like those demonstrated by Wineberg. The struggle goes on…