Web widgets hosted by Microsoft’s online login portal, login.live.com, do not perform sufficient parameter sanitization allowing an attacker to inject arbitrary text.
https://login.live.com/controls/WebAuth.htm https://login.live.com/controls/WebAuthButton.htm https://login.live.com/controls/WebAuthLogo.htm
They are documented by Microsoft here and accept several parameters that are used to customize the resulting widget.
Example URL with malicious content:
(note the SSL icon in the browser)
MSRC Case # 30838 / TRK # 0189016
Microsoft Sign-in Link API: https://msdn.microsoft.com/en-us/library/bb676638.aspx
Microsoft Security Researcher Acknowledgements (September 2015): https://technet.microsoft.com/en-us/security/cc308575
Thank you to Grier Forensics for providing advice. Discovered by Yakov Shafranovich in collaboration with the Shaftek Enterprises Security Research Team.
This discovery qualified for a security bounty under the terms of Microsoft’s Online Services Bug Bounty program.
2015–08–06: Vendor notified
2015–08–06: Initial vendor response
2015–08–11: Vendor replicated the issue
2015–08–31: Fix deployed by vendor
2015–09–17: Bounty received
2015–09–21: Public disclosure