Hi guys, I would like to share how I received my first ever bounty, that too from Microsoft.
After reading several bug reports I tried to find SSRF in yammer.com . But I was not able to find one. But during the test I noticed yammer was creating an object for every link and if the same link is posted by any other user, the content of that object will be replaced by the latest information from that link
This bug allowed attacker to change the image content sent/commented (private or public) the other users inside a yammer network.
Victim copies a image URL and paste it in message/comment box. Yammer fetches the details from the link and saves the details against an open_graph_object_id for that link. Later the message was sent.
Attacker copies same URL and intercept the request after pasting the link.
Attacker sees an open_graph_object_id was already created for that link created by yammer. Attacker Changes the link paramter of that object to the link of any other image.
Entire messages / posts sent by others users in that network turn out to the new image added by the attacker against that object
This was only affected to the users inside a yammer network.