Explore the latest news and trends  

Sign up for our weekly security newsletter


Be the first to receive important updates on security





Send

Careers Website of Microsoft was Revealing Data through a Misconfigured MongoDB Database


Chris Vickery, a security researcher, found the problem which is just like his previous discoveries. Mr. Vickery has earned reputation by chasing down companies organizing misconfigured MongoDB databases online. He exposed one of the companies as MacKeeper, which was revealing details of more than 13 Million users. The company was very impressed with his skills and devotions, and offered him a job.

Mr Vickery posted a blog on the site of MacKeeper revealing that he has helped Microsoft in securing a MongoDB database which was accessible through the Internet, had no password and enabled attackers to change its content. Microsoft uses Punchkick Interactive, a third-party mobile development company, in maintaining the mobile version of its Careers website. Punchkick holds databases for other companies also; screenshot of the database by Vickery reveals other companies like Ritz, Marriot and CareerBuilder, but he improved in on Microsoft "due to the probability of that lot having maximum impact".

Although disclosing private data of all registered people of Microsoft's Careers mobile website is very bad, but the real danger lies somewhere else. Since, any attacker would have had write access to the content of the database, they would have been able to attach malicious code into its content and get it embedded on the site itself. This situation opened the door for classic drive-by download attacks, which would have permitted hackers an easy method to deliver malware which would be difficult to detect.

Softpedia posted on 14th February, 2016, stating that Punchkick solved the problem in less than an hour after Mr. Vickery informed them via email, which deserves praises considering that other companies take years to solve security problems.

The latest readymade reported misconfigured MongDB database of Vickery, which could have finally given Microsoft a black eye, is that if a company avail services of a third-party, a security hole in their product "can quickly become a hole in your security". Members of the board and executives are well-aware of the complication, with 90% of those surveyed by Veracode stating that cyber accountability should be with third parties when faults are in the software. Nevertheless, only 65% have put accountability clauses with the providers of third-party.

ยป SPAMfighter News - 2/19/2016

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page
Next