Microsoft says it has fixed a bug in its login system that hackers could have exploited to trick users into giving over complete access to their accounts.
Security researchers say the bug allowed hackers to steal account tokens, which is what websites use to allow users to have access to their account without a username and password.
Researchers at Israel-based cybersecurity company, CyberArk, found that Microsoft accidentally left a loophole that could be used to access victim’s accounts through the tokens without the user ever knowing.
CyberArk found a number of unregistered subdomains connected to apps that were built by Microsoft. These types of subdomains can be used to create access tokens without needing consent from the user.
All that an attacker would need to is trick a user into clicking on a link within an email or on a website after which the hacker would steal the token. Researchers say that in some cases the tokens could be stolen without any interaction at all.
Microsoft became aware of the bug in late October and fixed it three weeks later.