2014
08.04

Today I am going to share this interesting vulnerability which allowed me to change the passwords of all Microsoft Careers users. Microsoft-careers.com is the Microsoft official recruiting website where millions of people around the world has their CV’s uploaded there. As a Job seeker :), I have registered and uploaded my resume there, a month later, I tried to log in my account but as usual, I forgot my password ­čÖü I went to “Forget my password” page and entered┬ámy Email, I checked my email and found a message including this ┬áreset password link (┬áhttps://www.microsoft-careers.com/reset/ED504CCE-5056-9214-016F355013806D75/) After clicking the link, I have been presented to a page where I should enter my new password, hmmmmm.. I fired up Burpsuite and intercepted the request was looks like

Microsoft-careers hacked

As we can see in this POST request, the (id) value is being sent with the request, with No authorisation key, So I have changed the ID value to the ID of my test account, And YES, I cold change my test account password :). Imagine if we made a small Python code to automate this process, We can change all the password of all users within hours. After reporting this vulnerability to Microsoft, They have patched it and added my name to their Wall of Fame http://technet.microsoft.com/en-us/security/cc308575#0614