2014
08.04

Today I am going to share this interesting vulnerability which allowed me to change the passwords of all Microsoft Careers users. Microsoft-careers.com is the Microsoft official recruiting website where millions of people around the world has their CV’s uploaded there. As a Job seeker :), I have registered and uploaded my resume there, a month later, I tried to log in my account but as usual, I forgot my password ­čÖü I went to “Forget my password” page and entered┬ámy Email, I checked my email and found a message including this ┬áreset password link (┬áhttps://www.microsoft-careers.com/reset/ED504CCE-5056-9214-016F355013806D75/) After clicking the link, I have been presented to a page where I should enter my new password, hmmmmm.. I fired up Burpsuite and intercepted the request was looks like

Microsoft-careers hacked

As we can see in this POST request, the (id) value is being sent with the request, with No authorisation key, So I have changed the ID value to the ID of my test account, And YES, I cold change my test account password :). Imagine if we made a small Python code to automate this process, We can change all the password of all users within hours. After reporting this vulnerability to Microsoft, They have patched it and added my name to their Wall of Fame http://technet.microsoft.com/en-us/security/cc308575#0614

6 comments so far

Add Your Comment
  1. I cannot believe that such simple flow exist on a Mircosoft site !

    Keep up the good work.

  2. Please keep on posting. I believe we can learn many things from you. Maybe you can also post on how to become like you? ­čÖé

  3. Dear Sir,

    I am beginner in learning python, well as you mentioned here that we can write small Python code to automate this process, but challenge is how to get (id) value of victim accounts by using python script.

    Can you pls demonstrate the any basic python script ?

    Regards,
    Nilesh

    • We don’t even need to know the ID of the victim, once the attacker email is assigned to the victim’s account, the attacker will be notified by that.

  4. Good Job buddy ,

    Keep up your awesome efforts.
    i See you’re The Number 1 In Egypt right now , within years we’ll see you internationally , With more sparkle.

    good luck

  5. This is smart, simple and lethal ­čśÇ