Microsoft Authenticator’s Unclaimed Deep Link: A Full Account Takeover Story (CVE-2026–26123)
This vulnerability is an Authentication Bypass, specifically a session hijacking issue affecting the Microsoft Authenticator app. The root cause was improper handling of deep links within the application, which allowed malicious actors to craft unclaimed deep links containing account tokens. When users clicked these links, their active sessions were hijacked, resulting in full account takeover without requiring any user interaction other than clicking a link. To exploit this, an attacker could generate a malicious deep link with an embedded account token and share it via SMS or email. The session hijack occurred due to the application's failure to verify the authenticity of deep links before processing them. This vulnerability has been assigned CVE-2026–26123. Microsoft rewarded $50,000 for this find and immediately patched the issue. To prevent similar vulnerabilities, it is crucial to thoroughly validate and sanitize all user-controlled inputs, including deep links. Key lesson: Always verify the authenticity of user-supplied data before processing it. #BugBounty #Cybersecurity #AuthenticationBypass #SessionHijacking #Infosec

https://infosecwriteups.com/microsoft-authenticators-unclaimed-deep-link-a-full-account-takeover-story-cve-2026-26123-e0409a920a02?source=rss------bug_bounty-5