14 DAY TRIAL // Microsoft has patched a leaky database that was exposing information for users who registered on the mobile version of their Careers website.
Security researcher Chris Vickery found the issue, which is similar to his previous discoveries. Mr. Vickery has made a name for himself by hunting down companies deploying misconfigured MongoDB databases online.
One of the companies he exposed was MacKeeper, which was leaking details of over 13 million users. The company was so impressed with his dedication and skills that they gave him a job.
Microsoft, Ritz, Marriott were all affected
According to a blog post on MacKeeper's site, Mr. Vickery has now revealed that he helped Microsoft secure a MongoDB database that was accessible via the Internet, had no password and allowed attackers to modify its content.
The database in question belonged to Punchkick Interactive, a mobile Web development company that Microsoft hired to manage the mobile version of their Careers website.
Alongside Microsoft, the same database also exposed information for the company's other clients, like Marriott Hotels and Ritz-Carlton Hotels. All databases were vulnerable in the same way.
Attackers could read but also write content to the database
While exposing private data for all people that registered on Microsoft's Careers mobile website is bad enough, the real danger laid elsewhere. Because any attacker would have had write access to the database's content, they would have been able to insert malicious code into its content and have it embedded on the site itself.
This situation opened the door for classic drive-by download attacks, which would have allowed hackers an easy and hard-to-detect method of delivering malware.
Punchkick fixed the issue in less than an hour after Mr. Vickery informed them by email, which is a thing that deserves praises if we take into account that other companies take years to fix security issues.
"The lesson to learn here is that if you’re a big name player like Microsoft, it’s acceptable for third-parties to handle mundane operations like job posting webpages," Mr. Vickery noted. "But be aware that a hole in the third-party’s security can quickly become a hole in your security."
