Two security flaws in Microsoft online web services
This article is reserved to disclose the two security vulnerabilities I discovered in Microsoft web services. As you may know, Microsoft has started offering monetary rewards that range from $500 USD up to a maximum of $15,000 USD. So, without any kind of bullshit, making some quick cash was my main motivation this time especially that I am already listed in their Hall of fame twice but that was before they officially launch their bug bounty program.
The first security flaw was a Cross-site request forgery (CSRF) which affected a sensitive endpoint and actions. I have been testing the developer endpoint : https://account.live.com/
Obviously, the exploitation was pretty easy and any attacker could target popular application developers to lure them to unintentionally change the application secret key by simply visiting a web page with the below codes.
2. Activating the newly generated key :
I reported the issue to Microsoft security team on 12/23/2015. They had some hard time reproducing it, I was obliged to record a video as a proof of concept. Microsoft confirmed the vulnerability to be fixed on 02/10/2016 and rewarded $2000.00 USD for it.
As for the second vulnerability, it was a very ugly stored Cross-Site scripting (XSS) that affected most of Yammer.com functionalities including : Chat, comments, feed etc.. I still did not figure out how many bug hunters missed it but I suppose it may be due to a recent code change and I got lucky to be the first one to stumble upon it.
Yammer treats this as the URL. When it is parsed Yammer wraps a link around that code, so the HTML now looks like:``` <a href="https://yassineaboukir.com/"onmouseover="alert(document.cookie)" target="_blank">https://yassmineaboukir.com/"onmouseover="alert(document.cookie)"/</a> ```
You can see that by putting in the URL and the trailing slash, Yammer thinks it has a valid URL even though it contains a quote mark in it which allows it to escape (ie. terminate the
href attribute, for the pedants out there) the URL attribute and include a mouse over.
For demonstration purpose but especially to keep it as a memory I recorded the below video :
I quickly escalated the issue to Microsoft security team 02/05/2016 and they handled it very quickly. The patch was confirmed on 02/10/2016 and the reward was $2000.00 USD.
I kept digging their web services believing that I may come across something new and, luckily, I found out this open redirect in an eligible endpoint, but I first had some doubts about if they are going to accept it or not. The open redirect resides in *.safelinks.
The impact is obvious as any user may be subjected to phishing attacks by being redirected to an untrusted and attacker controlled web page that appears to be a trusted web site (outlook.com)
Proof Of Concept :
Unfortunately and as pridected, Microsoft confirmed that it was by design, due to the nature of safe links feature.
Finally, I must to admit that I enjoyed the security team collaboration and Microsoft has, indeed, a good bug bounty program which is not only well managed but also pays very well. I must thank, Microsoft bounty payments processor, Holly for its kind words and good handling of payment processing. Thank you too for taking time to read this and I hope it was not a wasted 😉 Stay tuned for next posts!
See you in February « Security aknowledgment » and the « Honor Rolls » page
Further reading :