Two security flaws in Microsoft online web services

This article is reserved to disclose the two security vulnerabilities I discovered in Microsoft web services. As you may know, Microsoft has started offering monetary rewards that range from $500 USD up to a maximum of $15,000 USD. So, without any kind of bullshit, making some quick cash was my main motivation this time especially that I am already listed in their Hall of fame twice but that was before they officially launch their bug bounty program.

The first security flaw was a Cross-site request forgery (CSRF) which affected a sensitive endpoint and actions. I have been testing the developer endpoint : and noticed that all the actions were protected against CSRF attacks using an authenticity token named Canary. After some further digging, I noticed that the action of generating a new secret key and activating it are both vulnerable because they lack of the aformentioned security token.

Capture d’écran 2016-03-05 à 01.13.39(App Secret key and ID were created for testing purposes only)

Obviously, the exploitation was pretty easy and any attacker could target popular application developers to lure them to unintentionally change the application secret key by simply visiting a web page with the below codes.

1. Generate a new secret key :

2. Activating the newly generated key :

<form name="send" method="post" action="" enctype="application/x-www-form-urlencoded">
<input name="undefined" value="undefined" type="hidden">
 <script type="text/javascript" language="JavaScript">


I reported the issue to Microsoft security team on 12/23/2015. They had some hard time reproducing it, I was obliged to record a video as a proof of concept. Microsoft confirmed the vulnerability to be fixed on 02/10/2016 and rewarded $2000.00 USD for it.

As for the second vulnerability, it was a very ugly stored Cross-Site scripting (XSS) that affected most of functionalities including : Chat, comments, feed etc.. I still did not figure out how many bug hunters missed it but I suppose it may be due to a recent code change and I got lucky to be the first one to stumble upon it.

The XSS was due to that fact that Yammer does not properly escape URLs. Using the onmouseover attribute I was able to execute arbitrary javascript. For example, the following link is posted to the company’s feed


Yammer treats this as the URL. When it is parsed Yammer wraps a link around that code, so the HTML now looks like:

``` <a href=""onmouseover="alert(document.cookie)" target="_blank">"onmouseover="alert(document.cookie)"/</a> ```

You can see that by putting in the URL and the trailing slash, Yammer thinks it has a valid URL even though it contains a quote mark in it which allows it to escape (ie. terminate the href attribute, for the pedants out there) the URL attribute and include a mouse over.

For demonstration purpose but especially to keep it as a memory I recorded the below video :


I quickly escalated the issue to Microsoft security team 02/05/2016 and they handled it very quickly. The patch was confirmed on 02/10/2016 and the reward was $2000.00 USD.

I kept digging their web services believing that I may come across something new and, luckily, I found out this open redirect in an eligible endpoint, but I first had some doubts about if they are going to accept it or not. The open redirect resides in * because the ‘url’ parameter is not fully validating the input.

The impact is obvious as any user may be subjected to phishing attacks by being redirected to an untrusted and attacker controlled web page that appears to be a trusted web site (

Proof Of Concept :

Unfortunately and as pridected, Microsoft confirmed that it was by design, due to the nature of safe links feature.

Finally, I must to admit that I enjoyed the security team collaboration and Microsoft has, indeed, a good bug bounty program which is not only well managed but also pays very well. I must thank, Microsoft bounty payments processor, Holly for its kind words and good handling of payment processing. Thank you too for taking time to read this and I hope it was not a wasted 😉 Stay tuned for next posts!

See you in February « Security aknowledgment » and the « Honor Rolls » page

Further reading :

Written on March 5, 2016