Insecure Direct Object Reference Exposes all users of Microsoft Azure Independent Software Vendors

https://mynotsecureapp.com/users?userId=1055
{
"UserId": 1055,
"First Name": "Negus",
"Last Name": "Ezana",
"DoB": "1970–01–01",
"Place of Birth": "Bahir Dar",
"email": "ng@mynotsecureapp.com",
"mobile": "0918xxxxxx"
}
https://mynotsecureapp.com/users?userId=1056
{
"UserId": 1056,
"First Name": "Mahelete",
"Last Name": "Solomon",
"DoB": "1980–04–10",
"Place of Birth": "Addis Ababa",
"email": "ms@mynotsecureapp.com",
"mobile": "0911xxxxxx"
}
List of Sellers
GET /en-us/dashboard/account/<reduct>/<reduct>/<reduct>/<reduct>/76????10/users HTTP/2
Host: partner.microsoft.com
Details of users belongs to publisher 76????10
GET /en-us/dashboard/account/<reduct>/<reduct>/<reduct>/<reduct>/76????20/users HTTP/2
Host: partner.microsoft.com
Details of users belongs to publisher 76????20
GET /en-us/dashboard/account/<reduct>/<reduct>/<reduct>/<reduct>/76????00/users HTTP/2
Host: partner.microsoft.com
Details of users belongs to publisher 76????00
GET /en-us/dashboard/account/<reduct>/<reduct>/<reduct>/<reduct>/3?????30/users HTTP/2
Host: partner.microsoft.com
Details of users belongs to publisher 3?????30
GET /en-us/dashboard/account/<reduct>/<reduct>/<reduct>/<reduct>/2?????50/users HTTP/2
Host: partner.microsoft.com
Details of users belongs to publisher 2?????50
python script to extract thousands of users
  • Implement rate-limiting (why we let a user to send thousands of request to a single endpoint within short period time?)
  • Utilize a randomized strings to identify objects (user, account, customer etc.)
  • Detect and respond anomalies in realtime
  • S-SDLC is a key
  • Security Code Review ( manual & automated)
  • Perform penetration testing in any product before release it to prod
  • Logging and monitoring
  • Aug 21, 2021 — Reported to Microsoft
  • Aug 21, 2021 — Case Manager assigns a case to the defect
  • Sep 07, 2021 — Triage
  • Sep 10, 2021 — Vulnerability was fixed
  • Dec 10, 2021 — Writeup Request

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store