Vivek PS

Published On: 31 May 2019


Cross tenant data tamper -

Microsoft | Web

Hi guys, I would like to share how I received my first ever bounty, that too from Microsoft.


After reading several bug reports I tried to find SSRF in . But I was not able to find one. But during the test I noticed yammer was creating an object for every link and if the same link is posted by any other user, the content of that object will be replaced by the latest information from that link


This bug allowed attacker to change the image content sent/commented (private or public) the other users inside a yammer network.

Reproduction Steps


Victim copies a image URL and paste it in message/comment box. Yammer fetches the details from the link and saves the details against an open_graph_object_id for that link. Later the message was sent.


Attacker copies same URL and intercept the request after pasting the link.


Attacker sees an open_graph_object_id was already created for that link created by yammer. Attacker Changes the link paramter of that object to the link of any other image.


Entire messages / posts sent by others users in that network turn out to the new image added by the attacker against that object

Bug limitation

This was only affected to the users inside a yammer network.

Vivek 10 Jul 2018

Initial report

Microsoft 10 Jul 2018

Automatic response

Microsoft 11 Jul 2018

Reproduced / Triaged

Vivek 01 Sep 2018

Asked for update

Microsoft 10 Sep 2018

Informed that ther will not be any bounty

Microsoft 14 Sep 2018

Requested details for hall of fame

Microsoft 06 Dec 2018

Fixed and awarded the bounty Hi Vivek, Jarek here, the Microsoft Bounty Program Manager. I wanted to let you know that while this vulnerability did not meet the bar for se ... See More

Vivek 07 Dec 2018

Fix confirmed