HackDig : Dig high-quality web security articles for hacker

Microsoft Careers Website Was Leaking Data via a Misconfigured MongoDB Database

2016-02-14 03:20

Microsoft has patched a leaky database that was exposing information for users that registered on the mobile version of their Careers website.

Security researcher Chris Vickery discovered the issue, which is similar to his previous discoveries. Mr. Vickery has made a name for himself by hunting down companies that were deploying misconfigured MongoDB databases online.

One of the companies he exposed was MacKeeper, who was leaking details of over 13 million users. The company was so impressed with his dedication and skills that they gave him a job.

Microsoft, Ritz, Marriott were all affected

According to a blog post on MacKeeper's site, Mr. Vickery has now revealed that he helped Microsoft secure a MongoDB database that was accessible via the Internet, had no password and allowed attackers to modify its content.

The database in question belonged to Punchkick Interactive, a mobile Web development company that Microsoft hired to manage the mobile version of its Careers website.

Alongside Microsoft, the same database also exposed information for the company's other clients, like Marriott Hotels and Ritz-Carlton Hotels. All databases were vulnerable in the same way.

Attackers could read, but also write content to the database

While exposing private data for all people that registered on Microsoft's Careers mobile website is bad enough, the real danger laid elsewhere. Because any attacker would have had write access to the database's content, he would have been able to insert malicious code into its content, and have it embedded on the site itself.

This situation opened the door for classic drive-by download attacks, which would have allowed hackers an easy and hard to detect method of delivering malware.

Punchkick fixed the issue in less than an hour after Mr. Vickery informed them by email, which is a thing that deserves praises if we take into account that other companies take years to fix security issues.

"The lesson to learn here is that if you’re a big name player like Microsoft, it’s acceptable for third-parties to handle mundane operations like job posting webpages," Mr. Vickery noted. "But be aware that a hole in the third-party’s security can quickly become a hole in your security."

Sample of the leaked data
Sample of the leaked data

Source: WLzF2dtUGdpNnYldXLzJXZlJXYj1Cdm92cvJ3Yp12LzdXZu9SbvNmLhlGZlBHdm92cuM3dl52LvoDc0RHa/ca.ssr.dps

Read:1312 | Comments:0 | Tags:Data Breaches

“Microsoft Careers Website Was Leaking Data via a Misconfigured MongoDB Database”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud