Exposed database allowed read/write access to Microsoft's career portal

Configuration errors exposed data and enabled full control over the website's HTML

A jobs portal used by Microsoft applicants had a misconfigured MongoDB installation that exposed some information and enabled read/write access to the website. The database was quickly secured, but the incident highlights the importance of monitoring and verification when it comes to third-party development projects.

The misconfigured MongoDB installation was discovered by Chris Vickery.

Vickery has worked with Salted Hash on a number of stories [1], and he recently started working with Kromtech as a security expert not long after he discovered 13 million MacKeeper accounts in a misconfigured database late last year.

The database itself is maintained by Punchkick Interactive, a mobile development company contracted by Microsoft to run

There were a number of companies in the exposed database, but Microsoft was the largest of the group.

"All indications are that the database, a MongoDB instance, was not write-protected," Vickery wrote in a post on the MacKeeper blog.

vickery msft1

Because an attacker could write to the database, including the HTML for the job listings, any person with malicious intent could have leveraged this exposure for a watering hole attack.

"The ability to craft arbitrary HTML into an official Microsoft careers webpage is, to say the least, a powerful find for a would-be malicious hacker. In that scenario, any number of browser exploits could be launched against unsuspecting job-seekers. It would also be a fantastic phishing opportunity, as people seeking jobs at Microsoft probably tend to have higher value credentials," Vickery added.

vickery msft2

Vickery reported the exposed database to Punchkick Interactive on February 5. In his disclosure, he outlined the HTML issue as well as data exposure, by referencing a record including the name, email address, password hash, and issued tokens for Microsoft’s Global Employment Brand Marketing Manager, Karrie Shepro.

It took about an hour to fix the problem.

In his write-up, Vickery noted that the database had been exposed for a few weeks, but an exact timeline is unknown.

When asked for a statement on the issues created by Punchkick Interactive's configuration of their jobs portal, as well as confirmation that prior to Vickery's discovery the database or portal wasn't used for an attack, a Microsoft spokesperson said:

"We were made aware of this issue, and it was addressed." 

Silence from Redmond aside, the good news is that Punchkick Interactive reacted swiftly and fixed the issue once alerted to the problem.

Mistakes happen, and that's why it's important to monitor outsourced development projects and third-party vendors. More often than not, it's the little things that cause the biggest problems in security.

[This story was updated on 15 FEB 2016 to include comments from Microsoft.]

[1] Such stories include database leaks that exposed class records at SNHU, 3.3 million Hello Kitty fans, 191 million voter records, and an additional 18 million voter records with targeted data. 

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)