The Microsoft account exploit described below is not an officially reported exploit, however it's a feature that can easily be abused for an attacker to to regain control of a Microsoft account. This exploit isn't detectable through any normal methods or the default Microsoft security panel, making it especially dangerous.
Signing out of all devices on a Microsoft account does not affect or remove this exploit.
If a device is added as a FIDO enabled device on a Microsoft account, the normal measures of securing an account aren't enough to remove the device. This allows an attacker that has previously had access to the Microsoft account to regain access to it easily, as long as they added a FIDO enabled device to it.
This is incredibly dangerous to anyone who may share a Microsoft account. If, at any point, someone else has had access to your account, they can easily regain access to it, as long as their FIDO device is added to the account. The device is not detectable or removable through the normal security panel, and can easily lead to a full account takeover.
This exploit has already caused hundreds of thousands of dollars in scams and damages, however it can be removed from an account.
The application works by replicating an account login request and checking if the response contains any FIDO information. If it does have FIDO information, then the account could be at risk of being compromised.
Keep in mind that any Microsoft account that already has a FIDO device linked will appear as an account that has the exploit active on it.
The project is divided into two different modules, the API and the Discord bot.
The Discord bot can be added to a server, and you can do /check (email) to
see if the email is FIDO enabled.
- Clone the repository
- Install the dependencies (
pip install requirements.txt) - Create an environment variables file with the following fields:
- HOST (usually 127.0.0.1)
- PORT
- BOT_TOKEN (your bot token)
- Execute
py .