Hey Everyone, Hope you’re doing safe and sound.

I have recently found a bug in the Microsoft research portal which could have let me read the bug report updates of fellow security researchers who report to Microsoft, this was a simple yet interesting thing I found while I was randomly exploring it.

What was the bug?

It was an information disclosure bug, Which discloses information of the report updates by having the vulnerability report ID.

How to get the vulnerability report ID?

The vulnerability report ID is VULN-<Some number>. This is the unique identifier for every report. Microsoft validates the bug report by this ID. For every bug report, they give an ID which is a number like 010001 followed by 010002, which is easily guessable.

How to reproduce the bug?

1. Report a bug from User A.
2. Send a mail from User B’s mail ID to Microsoft’s vulnerability report mail ID, saying some info with the subject line of VULN-<the report number>
3. Now, User B is added to the ticketing portal of Microsoft.

Now, User B can receive updates of User A’s Bug report without his knowledge.

How the bug could have affected Microsoft?

If the attacker sends an automated mail by changing the report number to Microsoft’s mail ID then he could have listened to the bug report updates. If any sensitive information is sent via mail, then the attacker can use it for any malicious purposes.

This bug was assigned as Important by Microsoft and fixed it. This was not awarded bounty because it was out of scope as per the Microsoft terms.

Thanks for reading, good day! :-)