Responsible Security Disclosure Write-up About Vulnerability In One Of The Microsoft Online Services
Category: Technology Company
Affected Product: Whiteboard
Scope: Under Microsoft Online Services Bounty Program
Vulnerable Endpoint: https://whiteboard.microsoft.com/
Vulnerability Type: UI Redressing [User Interface Redress Attack]
Maximum Vulnerability Impact: Delete Whiteboards Of Victim's Account
Initial Report: Sun Feb 23, 2020
Triaged: Wed Feb 26, 2020
Confirmation of Fix By Microsoft Security Team: Fri Apr 3, 2020
Asked For Public Disclosure: Wed Apr 8, 2020 (Disclosure Allowed)
Published: Sun Apr 12, 2020
Microsoft Whiteboard is a freeform digital canvas where people, ideas, and content come together.
Microsoft's one of the online services called “Whiteboard — [whiteboard.microsoft.com]” was vulnerable against browser's Content Security Policy which was allowing an attacker to embed the vulnerable web page inside any of the external sites. In other words due to lack of CSP protection it was possible for an attacker to iframe “whiteboard.microsoft.com” and all its other endpoints inside the attacker's website, (imagine the Microsoft web page behind the opaque content hosted on third party website).
The successful exploitation of the vulnerability was leading an attacker to trick victim to unknowingly delete any of the whiteboard that are presented in his (victim's) account.
Upon bringing this issue to Microsoft Security Response Center's attention, their engineering team pushed a fix into production and resolved the issue. That is being said the flaw is patched now.