Responsible Security Disclosure Write-up About Vulnerability In One Of The Microsoft Online Services

Company: Microsoft

Category: Technology Company

Affected Product: Whiteboard

Scope: Under Microsoft Online Services Bounty Program

Vulnerable Endpoint: https://whiteboard.microsoft.com/

Vulnerability Type: UI Redressing [User Interface Redress Attack]

Maximum Vulnerability Impact: Delete Whiteboards Of Victim's Account


Timeline:

Initial Report: Sun Feb 23, 2020

Triaged: Wed Feb 26, 2020

Confirmation of Fix By Microsoft Security Team: Fri Apr 3, 2020

Asked For Public Disclosure: Wed Apr 8, 2020 (Disclosure Allowed)

Published: Sun Apr 12, 2020


About Product:

Microsoft Whiteboard is a freeform digital canvas where people, ideas, and content come together.


Description:

Microsoft's one of the online services called “Whiteboard — [whiteboard.microsoft.com]” was vulnerable against browser's Content Security Policy which was allowing an attacker to embed the vulnerable web page inside any of the external sites. In other words due to lack of CSP protection it was possible for an attacker to iframe “whiteboard.microsoft.com” and all its other endpoints inside the attacker's website, (imagine the Microsoft web page behind the opaque content hosted on third party website).

The successful exploitation of the vulnerability was leading an attacker to trick victim to unknowingly delete any of the whiteboard that are presented in his (victim's) account.

Upon bringing this issue to Microsoft Security Response Center's attention, their engineering team pushed a fix into production and resolved the issue. That is being said the flaw is patched now.