This is fine š¶
TL;DR: There are a bunch of sensitive data stored on search engine cache servers related to some Microsoft services but this is fine.
Letās begin at the end š
I tried to report what Iām going to describe in this post three times and got the email below as final answer.
As you can see Iām allowed to do publish these bugs and I could put here a list of reasons why Iām doing that but the main reason is because maybe you or your company could be impacted so you can go ahead and check.
The beginning āļø
I donāt really remember what I was looking for but for sure I wasnāt trying to find any bugs in any kind of Microsoft services because Iāve already had some problems to report something simple to MSRC (Microsoft Security Response Center).
I was just checking some Google search results when I saw this URL below which took my attention.
https://skydrive.live.com/embedicon.aspx/.Public/2010/march/Neenillade%20Nanagenide%20-%20MN%20Vyasa%20Rao/Elli%20Hoguve%20Nee%20-%20MD%20Pallavi%20Arun.M4A?cid=ceb8d6b27585bd79
First thing that I came to my mind when I opened this URL was why a shareable link is appearing on Google search results? Before answer this question letās recap why and how you can get a shareable link of any OneDrive folder/file to share with your friends.
https://support.office.com/en-us/article/share-onedrive-files-and-folders-9fcc2f7d-de0c-4cec-93b0-a82024800c07
Iāve checked this entire help page and I didnāt find anywhere that anyone can find some of your shareable links on Google or any other search engine.
Searching for shareable links š
Before trying to search on Google for more shareable links Iāve noticed the folder names in the https://skydrive.live.com URL and I though that maybe I can navigate through the folders by removing the file name only.
That blue square with march inside and the number 4 was actually a link.
Did you noticed something different when I clicked on the blue square link? We got redirected to https://onedrive.live.com. But what is the difference between SkyDrive and OneDrive? SkyDrive is just the old name of OneDrive. If you want to know why Microsoft change the name you can check here https://en.wikipedia.org/wiki/Microsoft_OneDrive.
The point is we have an old service domain name redirecting to the new domain name and the old service can be found on Google search results. Letās try to search on onedrive.live.com.
There are a lot of results (about 81,600) but most of them werenāt a shareable link. Maybe we can filter (inurl) by the URL query parameter named ācidā which we saw in the URL mentioned above.
Just one! No way! š What a minute. Letās take a look in the omitted results included.
Google found about 42,800 possible shareable links in 0.30 seconds and maybe one of them is a picture that you shared with your friend. Google probably hidden the results because the URLs are very similar (same domain and parameters) but their content are different. Even that Google doesnāt provide any preview we can check the content by opening the links.
The first link that I tried it was a video from some kids playing and interviewed. The video was from Brazil and the kids were speaking in Portuguese. It seems Google present the results also based in my geolocation which means probably Iām not able to really get all possible results from all possible Google cache servers.
I donāt know about you but for me this is not fine. Let me explain why by taking another example.
John the owner of this folder above created a shareable link and send to his friends believing that only them can see it but this is not true. Letās check how I was able to find the Johnās folder.
You can also target what you want to find in the shareable links as you can see above. I was able to find shared files/folders with private pictures, softwares, CD/DVD images, licenses, financial documents, passwords, etc. For me this is a security issue which needs some attention but for MSRC āthe risk is low or would take significant effort to exploitā and āMicrosoft has decided that it will not be fixing this vulnerabilityā.
Bingo! š
How about the Microsoft search engine called Bing.
Bing found 4.760.000 results on onedrive.live.com without any filter! š This is promise letās try filtering like we did on Google.
Using the same filter Bing found 1.950.000 and Google about 42,800 possible shareable links. Letās see if we can find the Johnās folder using Bing by searching the string āMemorial Dayā like we did on Google.
Bing didnāt find the Johnās folder but found only one from those 3 found by Google. Why?
Iāve compared the 3 links from and the only different which make sense to me is the permissions. We can assume that Google and Bing have different parameters to cache results.
There is no end š
I had the intuition that Skydrive/Onedrive wasnāt the only service affected and decide to search on Google the query āsite:live.com inurl:cid -site:onedrive.live.com -site:skydrive.live.comā to find any other vulnerable service.
It seems we can find some Outlook calendars. Letās take a look in one of them.
Supreme Trial? š
I decided give it a try to find anything with password string by searching āsite:live.com inurl:passwordā.
I was able to find some Reset your password links but nothing really scary. The strange part is Microsoft asking for something that is already in the URL. š
Trying Bug Bounty š°
Instead trying random services Iāve started target the domains described here https://www.microsoft.com/en-us/msrc/bounty-microsoft-cloud. Letās try the Google query āsite:outlook.office365.com inurl:calendarā.
Thatās the same thing we found before under https://outlook.live.com.
By checking some Google results I found an interesting subdomain called āsafelinks.protection.outlook.comā. This time letās check Bing first.
Only 5 results? What about Google?
About 222,000 results in 0.21 seconds. š± But why this matter?
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide
It looks like the ATP Safe Links are cached on Google servers. Letās check what some of them have in common.
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Finternal.kcl.ac.uk%2Finnovation%2FCrick%2FPhDProgramme%2Findex.aspx&data=01%7C01%7Candrea.streit%40kcl.ac.uk%7Ce941dbd341e94aeed38d08d4ce912ded%7C8370cf1416f34c16b83c724071654356%7C0&sdata=KZWybbWZGhLZueGX4px%2BDr6u4N57r30fuWqeskE0GGA%3D&reserved=0https://eur03.safelinks.protection.outlook.com/?url=helpdesk.eui.eu&data=02%7C01%7CLaura.Bechi%40eui.eu%7Cab2734792ca441d4184608d783d3cd36%7Cd3f434ee643c409f94aa6db2f23545ce%7C0%7C0%7C637122818064802683&sdata=XqdRj96A3a0mquiKW6MQU2mCjo%2B27dCU22uPK0%2F1Q0w%3D&reserved=0https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmyidentity.app.vumc.org%2Finvitation%2F&data=02%7C01%7Ctracey.m.street%40vumc.org%7Cc426e0443d4f4691fb9308d7a426da87%7Cef57503014244ed8b83c12c533d879ab%7C0%7C0%7C637158359088368561&sdata=BFFVPNC61CPJtP2f1JyIQ15Lw6cOy4RFo%2BrlCbwqqzk%3D&reserved=0
Did you get it? Iāll help you and URL decode them.
https://eur03.safelinks.protection.outlook.com/?url=https://internal.kcl.ac.uk/innovation/Crick/PhDProgramme/index.aspx&data=01|01|andrea.streit@kcl.ac.uk|e941dbd341e94aeed38d08d4ce912ded|8370cf1416f34c16b83c724071654356|0&sdata=KZWybbWZGhLZueGX4px+Dr6u4N57r30fuWqeskE0GGA=&reserved=0https://eur03.safelinks.protection.outlook.com/?url=helpdesk.eui.eu&data=02|01|Laura.Bechi@eui.eu|ab2734792ca441d4184608d783d3cd36|d3f434ee643c409f94aa6db2f23545ce|0|0|637122818064802683&sdata=XqdRj96A3a0mquiKW6MQU2mCjo+27dCU22uPK0/1Q0w=&reserved=0https://nam05.safelinks.protection.outlook.com/?url=https://myidentity.app.vumc.org/invitation/&data=02|01|tracey.m.street@vumc.org|c426e0443d4f4691fb9308d7a426da87|ef57503014244ed8b83c12c533d879ab|0|0|637158359088368561&sdata=BFFVPNC61CPJtP2f1JyIQ15Lw6cOy4RFo+rlCbwqqzk=&reserved=0
The domain of the URL is matching with the domain of the emails. It seems these are the emails that received the URL by email. So letās find some valid @microsoft.com emails (āsite:safelinks.protection.outlook.com inurl:%40microsoft.comā).
https://nam06.safelinks.protection.outlook.com/?url=https://careers.microsoft.com/i/us/en/job/692819/2020-MBA-Graduates-Marketing-GSMO-Beijing&data=02|01|Shaoying.Wang@microsoft.com|6071a332590c44350c9808d726a608ae|72f988bf86f141af91ab2d7cd011db47|1|0|637020366863905780&sdata=DvZj8PcK3eGShuNkJr9A05+0O2kaTqknT+ODsyu4k08=&reserved=0https://nam06.safelinks.protection.outlook.com/?url=https://docs.microsoft.com/en-us/dynamics365/unified-operations/financials/localizations/rus-cash-flow&data=02|01|sglass@microsoft.com|1b991791450d4418314408d6c3c6a9a1|72f988bf86f141af91ab2d7cd011db47|1|0|636911655386341020&sdata=DZ3MRV4nUKlGiqMPniSRz78dk7BGYwwDBBMMNCIWvF4=&reserved=0https://nam06.safelinks.protection.outlook.com/?url=https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Reduce-your-potential-attack-surface-using-Azure-ATP-Lateral/ba-p/291787&data=02|01|mepelley@microsoft.com|e963d686a97e4eb7771208d6656ca68c|72f988bf86f141af91ab2d7cd011db47|1|0|636807914712746157&sdata=0dtYSgtC9XpXMztKH2iJj0BVBp5oImO/8QpMrnNvOnw=&reserved=0
This is good for recon when you need a valid email for a specific domain. I didnāt research much but the other parameters seems to hide something.
Letās try the Google query āsite:sharepoint.com inurl:cidā.
SharePoint shareable links is also there.
Another service called Sway (āsite:sway.com inurl:ref=Linkā).
Grand Finale! š
Probably there much more Microsoft services that you can find through different search engines but this will be the grand finale service, broadcast.skype.com.
There is no need to explain anything just take a look in the screenshots below.
If you find any other interesting service and want to share please send me an email ricardo.iramar@gmail.com or twitter @ricardo_iramar.
