Database for Microsoft Careers mobile site was leaking data, vulnerable to attack

If you want to work at Microsoft, then you likely have visited Microsoft Careers. The backend database for the mobile version of Microsoft’s jobs portal was misconfigured, exposing user information and leaving the site vulnerable to attack.

Security researcher Chris Vickery has a knack for exposing leaky databases, such as the one that put 13 million MacKeeper users at risk, another which exposed personal information of 191 million voters, yet another that held 18 million voter records with targeted profile data, and one that exposed 140,000 class and student records from Southern New Hampshire University. He also once discovered a leaked Hello Kitty database with 3.3 million user accounts, some belonging to kids.

This time, Vickery said he found another misconfigured MongoDB database which exposed registered users’ information and had write-access to the contents of the database.

Microsoft uses the third-party mobile development company Punchkick Interactive to maintain the mobile version of its Careers website. Punchkick handles databases for other companies as well; Vickery’s screenshot of the database shows other companies such as Marriot, Ritz, and CareerBuilder, but he honed in on Microsoft “due to the probability of that portion having the most impact.”

For at least a “few weeks,” the database for the mobile version of Microsoft’s Careers site was “exposed to the open Internet and required no authentication at all to access,” wrote Vickery. Besides exposing information, it was “serving potentially arbitrary HTML;” the MongoDB database was not write-protected – meaning “an attacker could have modified the database.”

He added:

The ability to craft arbitrary HTML into an official Microsoft careers webpage is, to say the least, a powerful find for a would-be malicious hacker. This situation is the classic definition of a potential watering hole attack.

In that scenario, any number of browser exploits could be launched against unsuspecting job-seekers. It would also be a fantastic phishing opportunity, as people seeking jobs at Microsoft probably tend to have higher value credentials.

Regarding such exposed credentials in Punchkick’s database, Vickery chose a Microsoft manager’s credentials to offer up as proof of the severity of the problem to Microsoft. He sent an email to Microsoft which contained a “screenshot showing the name, email address, password hash, and issued tokens for Microsoft’s Global Employment Brand Marketing Manager, Karrie Shepro.”

The good news is that it took only about an hour after Vickery sent an email to Punchkick for the company to lock down the database.

Vickery frequently uses the Shodan search engine to find insecure MongoDB databases. Shodan founder John Matherly has warned that there are at least 35,000 publicly accessible and insecure MongoDB databases, resulting in 684.8 TB of data exposed. However, Matherly noted that MongDB is not the only poorly configured database, as “Redis, CouchDB, Cassandra and Riak are equally impacted by these sorts of misconfigurations.” Researchers from Switzerland-based BinaryEdge discovered there was about 1.1 petabytes of data exposed from just four misconfigured database management systems: MongoDB, Redis, Memcached, and Elasticsearch.

The takeaway from Vickery’s most recently reported misconfigured MongoDB database, which could have ended up giving Microsoft a black eye, is that if a company uses third-party services, a security hole in their product “can quickly become a hole in your security.” Board members and executives are well aware of the problem, with 90% of those surveyed by Veracode saying cyber liability should land on third parties when the flaws are in their software. Yet only 65% have set up liability clauses with third-party providers.