Source: Internet

How I could have read your confidential bug reports by simple mail?

Sudhakar Muthumani
InfoSec Write-ups

Hey Everyone, Hope you’re doing safe and sound.

I have recently found a bug in the Microsoft research portal which could have let me read the bug report updates of fellow security researchers who report to Microsoft, this was a simple yet interesting thing I found while I was randomly exploring it.

What was the bug?

It was an information disclosure bug, Which discloses information of the report updates by having the vulnerability report ID.

How to get the vulnerability report ID?

The vulnerability report ID is VULN-<Some number>. This is the unique identifier for every report. Microsoft validates the bug report by this ID. For every bug report, they give an ID which is a number like 010001 followed by 010002, which is easily guessable.

How to reproduce the bug?

  1. Report a bug from User A.
  2. Send a mail from User B’s mail ID to Microsoft’s vulnerability report mail ID, saying some info with the subject line of VULN-<the report number>
  3. Now, User B is added to the ticketing portal of Microsoft.

Now, User B can receive updates of User A’s Bug report without his knowledge.

How the bug could have affected Microsoft?

If the attacker sends an automated mail by changing the report number to Microsoft’s mail ID then he could have listened to the bug report updates. If any sensitive information is sent via mail, then the attacker can use it for any malicious purposes.

Source: Internet

This bug was assigned as Important by Microsoft and fixed it. This was not awarded bounty because it was out of scope as per the Microsoft terms.

Thanks for reading, good day! :-)

Timeline:

Bug reported on 01/07/2021

Bug assigned on 21/07/2021

Sent to the development team on 16/09/2021

Bug fixed on 21/10/2021

🔈🔈Infosec Writeups is organizing its first-ever virtual conference and networking event. If you’re into Infosec, this is the coolest place to be, with 16 incredible speakers and 10+ hours of power-packed discussion sessions. Check more details and register here.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Sudhakar Muthumani

Security Engineer at Zoho. Chapter head at OWASP Thoothukudi. Hacked into Xiaomi, Apple, Microsoft

No responses yet

What are your thoughts?