[kazinator]

Wild-assed guess before I read this: in their greed for personal information, they took what should be a purely client-side scripted job into something that connects to the back end.

Edit: Yup! Instead of just doing calculations, it involved some e-mail workflow.

> The password could be used to log into the “noreplyeicher@ttibi.co.in” Microsoft email account.

I'm surprised this is literally true as described.

The actual browser itself makes the actual SMTP connection to the Microsoft e-mail host! The authentication name used is the above e-mail address. I typed out the Base64 to check:

  1> (base64-decode "bm9yZXBseWVpY2hlckB0dGliaS5jby5pbg")
  "noreplyeicher@ttibi.co.in"

There is a second IT silliness here, a minor one compared to the password gaffe. "noreply" addresses should not be real mail accounts or working aliases!

The noreply address is just a fake you put into the SMTP envelope and From: which will bounce due to not resolving if someone replies to it.

[semiquaver]

  > The actual browser itself makes the actual SMTP connection to the Microsoft e-mail host!

This is not generally possible, browsers cannot make arbitrary socket connections in the way that would be required to reliably communicate with an SMTP server. The article makes clear that the frontend is calling a poorly-coded email-sending API implemented as an HTTP endpoint.

[kazinator]

I see. That's what I would have thought so I was scratching my head; that lack of sandboxing would turn all browsers into horrible attack vehicles, rendering botnets obsolete.