Synack, a senior security researcher Wesley Wineberg has received a Microsoft award 2 5 0 0 0$, which is to reward him to Microsoft to report a bug, this is a CSRF vulnerability that can hijack any Hotmail account.
CSRF（cross-site request forgery）vulnerability means that any access to the malicious page the user, their account will be in the no interaction case is the hijacking.
The vulnerability exists in the Microsoft Live. com, has now been patched, Wineberg said that if deliberately designed, it can develop into a worm.
“Through IMAP and address book, the worm can be easily sent by e-mail to all the user's contacts, at least those that use Hotmail, Outlook. com the people, the message can be something seductive content, similar to the ILOVEYOU virus of style, in order to spread.”, the Wineberg said.
“The only prerequisite is the need the user has logged in, in their cookie to have a valid session token.”
“This CSRF vulnerability allows me to bypass the Oauth authentication system of user interaction steps.”
Wineberg also did a POC session hijacking demo, here is its video: