Maximum Vulnerability Impact:Delete Whiteboards Of Victim's Account
Timeline:
Initial Report:Sun Feb 23, 2020
Triaged:Wed Feb 26, 2020
Confirmation of Fix By Microsoft Security Team:Fri Apr 3, 2020
Asked For Public Disclosure:Wed Apr 8, 2020(Disclosure Allowed)
Published:Sun Apr 12, 2020
About Product:
Microsoft Whiteboard is a freeform digital canvas where people, ideas, and content come together.
Description:
Microsoft's one of the online services called “Whiteboard — [whiteboard.microsoft.com]” was vulnerable against browser's Content Security Policy which was allowing an attacker to embed the vulnerable web page inside any of the external sites. In other words due to lack of CSP protection it was possible for an attacker to iframe “whiteboard.microsoft.com” and all its other endpoints inside the attacker's website, (imagine the Microsoft web page behind the opaque content hosted on third party website).
The successful exploitation of the vulnerability was leading an attacker to trick victim to unknowingly delete any of the whiteboard that are presented in his (victim's) account.
Upon bringing this issue to Microsoft Security Response Center's attention, their engineering team pushed a fix into production and resolved the issue. That is being said the flaw is patched now.