Database for Microsoft Careers mobile site was leaking data, vulnerable to attack – Network World

If you want to work at Microsoft, then you likely have visited Microsoft Careers. The backend database for the mobile version of Microsoft’s jobs portal was misconfigured, exposing user information and leaving the site vulnerable to attack.

Security researcher Chris Vickery has a knack for exposing leaky databases such the one that put 13 million MacKeeper users at risk, another which exposed personal information of 191 million voters, yet another held 18 million voter records with targeted profile data, and one that exposed 140,000 class and student records from Southern New Hampshire University; he also discovered a leaked Hello Kitty database with 3.3 million user accounts, some belonging to kids. This time, Vickery said he found another misconfigured MongoDB database which exposed registered users’ information and had write-access to the contents of the database.

Microsoft uses the third-party mobile development company Punchkick Interactive to maintain the mobile version of its Careers website. Punchkick handles databases for other companies as well; Vickery’s screenshot of the database shows other companies such as Marriot, Ritz and CareerBuilder, but he honed in on Microsoft “due to the probability of that portion having the most impact.”

Exposed MongoDB for Microsoft Careers siteChris Vickery / MacKeeper

For at least a “few weeks,” the database for the mobile version of Microsoft’s Careers site was “exposed to the open Internet and required no authentication at all to access,” wrote Vickery. Besides exposing information, it was “serving potentially arbitrary HTML;” the MongoDB database was not write-protected – meaning “an attacker could have modified the database.”


Write a Reply or Comment:

Your email address will not be published.*