Reading Message from Microsoft’s Private Yammer Group
Hi All,
I returned with another blog about a vulnerability I found in Microsoft’s business application. This time we will try to read some messages/posts from Microsoft’s private Yammer group.
To summarize, what Microsoft employees were discussing in these Yammer groups: Covid19+ Vaccine, discussion about customers, competitors & business strategies.
Technical Detail
Detection
Login to https://<x>.transform.microsoft.com/ using my testing AAD user account.
Testing Account: maotg@msobb??.onmicrosoft.com.
As you can see from the below picture, the user is not authorized to access the business transform application.
The permission of the user is verified from the server side by sending a ‘userwhitelist’ API call. Let’s investigate this API call’s request and respond.
GET /api/user/maotg@*.onmicrosoft.com/userwhitelist
Host: ?*.azurewebsites.net
- The user is authorized (white-listed) if the response to the above request is true.
- The user is not authorized if the response to the above request is false.
Obviously, the above authorization can be easily bypassed by intercepting the request and modifying the response from false to true, unless there is a verification of permission for the subsequent API calls.
After changing the response from false to true. I was able to unlock some of the functionality of the application. One of the application’s most important features is that authorized users can access Microsoft’s Yammer Private group (group belonging to Microsoft and their business partners).
The latest Yammer posts can be seen on the right side of the above picture. Let’s focus on the API call responsible for fetching the Yammer posts. The application invokes an API call to /api/Yammer/group/15003/feeds/5 in order to fetch the top 5 posts from Yammer group 15003.
GET /api/Yammer/group/15003/feeds/5
Host: ?.azurewebsites.net
Authorization: Bearer eyJ…
Reading More Information
The application is hardcoded only to fetch top 5 feeds from group ID 15003. I tried to fetch top 1000 feeds and check if I can disclose sensitive information.
Result
I was able to read more posts holding sensitive information but most importantly I was able to discover other Yammer group IDs. Such as — 30300774400:
GET /api/Yammer/group/30300774400/feeds/5000
Host: ?.azurewebsites.net
Authorization: Bearer eyJ…
Sample result of the above request in a readable form:
Additional example from different group — 16002774:
GET /api/Yammer/group/16002774/feeds/5000
Host: ?.azurewebsites.net
Authorization: Bearer eyJ…
Report Timeline
September 10, 2021— Report to MSRC
September 13, 2021 — Triage
September 13, 2021 — Microsoft Fix the bug
July 13, 2022 — Request for disclosure & draft submitted
July 14, 2022 — Feedback from Microsoft to obfuscate a few pictures
July 26, 2022 — Approved by Microsoft for public disclosure