A misconfigured subdomain owned by Microsoft Corp. could have exposed the accounts of as many 400 million Office 365 users to having their accounts taken over, a security researcher has revealed.

The mistake, spotted and reported Tuesday by Indian security researcher and Microsoft bug hunter Sahad Nk, is primarily related to a failure by Microsoft to secure the subdomain success.office.com properly.

In a disturbing list of actions, Nk was able to issue a new CNAME record for the subdomain and divert traffic passing through it to an external server, in this case, his Microsoft Azure account. In doing so, he could capture any data being sent through the subdomain.

How he did so was perhaps even worse because he could use his own Microsoft account, using two-factor authentication, to take over the subdomain, exposing a flaw in Microsoft’s OAuth authentication checks as well.

“Nk also found that Microsoft Office, Store and Sway apps could be tricked into sending their authenticated login tokens to his newly controlled domain after a user logs in through Microsoft’s Live login system,” TechCrunch reported.

The only saving grace in this comedy of errors was that Nk immediately reported the issues to Microsoft, which fixed them. Microsoft confirmed the report, saying that it mitigated the case in November and paid Nk a bug bounty for his efforts.

The report came on the same day Microsoft released its monthly Patch Tuesday security release. It included patches to address nearly 40 vulnerabilities, several of which are rated critical, with the majority of vulnerabilities rated as important.

“One of the most important flaws is a Windows Kernel Elevation of Privilege vulnerability (CVE-2018-8611), which has been exploited in the wild by attackers,” Satnam Narang, senior research engineer at Tenable Inc., told SiliconANGLE. “While this vulnerability requires an attacker to have an established presence on the vulnerable system, security teams should prioritize it in their patching cycles.”

Photo: Maxpixel