Future Built on Knowledge

A flaw in Microsoft’s online services discovered. FBK researcher received recognition for his contribution to Microsoft’s online services security

December 13, 2016

A 26 year-old from India, Avinash Sudhodanan has been working at FBK (research centre located in Trento, Italy) for three years on his doctorate in the "Security and Trust" group. In collaboration with Nicolas Dolgin (an intern from SAP, France), Avinash recently discovered a serious vulnerability in Microsoft's online services that allows an attacker to make the victim access (without their knowing so) an account controlled by the attacker.

The discovery makes them eligible for the Microsoft “Online Services Bounty” program thanks to which Avinash and Nicolas will receive a prize of $ 1,500.

In fact, the “Microsoft Security Response Center” provides a cash prize and a mention on their website to researchers who contribute to more secure online services.

The consequences of the “flaw” discovered by the researchers can be serious. Among these, the attacker can monitor the activity of the victim and the pages they visit, thus acquiring sensitive data. This not only leads to the breach of the victim’s privacy, but it may allow the use of the data collected for fraudulent purposes. Also, the attacker can trick the victim by improperly using their credit card or making them pay for services they do not use, such as Skype credit recharging of the attacker’s account.

The research was conducted as part of the “Security and Trust of Next Generation Enterprise Information Systems” (SECENTIS) European project, in which Fondazione Bruno Kessler and SAP Labs France participated. This is a European Industrial PhD, fully funded by the EU, which aims to train a new generation of security experts, capable of meeting both the scientific and the technical challenges posed by emerging technologies and the resulting impact on companies.

Avinash, along with other four doctoral students, was selected in 2013 as part of the SECENTIS project, with the purpose of developing security analysis techniques and browser-based protocols testing that can provide support to developers, helping to identify vulnerabilities that can have very serious effects, such as identity theft, loss of bank account details and other confidential information.

Avinash’s PhD is under the supervision of Roberto Carbone (researcher at FBK), Luca Compagna (from SAP Labs France), and of the SECENTIS project coordinator, Alessandro Armando (also the Head of the FBK “Security and Trust” Unit).

The line of research developed by Avinash as part of the SECENTIS project is helping to improve the security of very popular web sites. For instance, Avinash has also discovered serious vulnerabilities, similar to that discovered in Microsoft, in services provided by Google, eBay, SAP [2] etc. Last year Avinash conducted security analysis of web sites that use Single Sign-On (SSO) solutions provided by major companies such as PayPal, LinkedIn, Facebook and Instagram. As a result of this analysis, Avinash discovered vulnerabilities in the SSO solutions offered by PayPal and Yahoo [1], as well as multiple vulnerabilities in popular web sites (such as LinkedIn, Pinterest ).

Avinash was publicly acknowledged by Yahoo (in its Security Wall of Fame), Pinterest, and SAP  for his findings.

Avinash will end his PhD program next year and, thanks to the research developed at FBK, is now working in ”Cyber security innovation lab” by “Poste Italiane“ at FBK and applying for positions abroad.

The author/s