Vivek PS

Published On: 31 May 2019

$500

Cross tenant data tamper - Yammer.com

IDOR
Microsoft | Web
---
MEDIUM VALID

Hi guys, I would like to share how I received my first ever bounty, that too from Microsoft.

Description

After reading several bug reports I tried to find SSRF in yammer.com . But I was not able to find one. But during the test I noticed yammer was creating an object for every link and if the same link is posted by any other user, the content of that object will be replaced by the latest information from that link

Impact

This bug allowed attacker to change the image content sent/commented (private or public) the other users inside a yammer network.




Reproduction Steps

Step
1

Victim copies a image URL and paste it in message/comment box. Yammer fetches the details from the link and saves the details against an open_graph_object_id for that link. Later the message was sent.

Step
2

Attacker copies same URL and intercept the request after pasting the link.

Step
3

Attacker sees an open_graph_object_id was already created for that link created by yammer. Attacker Changes the link paramter of that object to the link of any other image.

Step
4

Entire messages / posts sent by others users in that network turn out to the new image added by the attacker against that object

Bug limitation

This was only affected to the users inside a yammer network.

Timeline
.
Vivek 10 Jul 2018

Initial report

.
Microsoft 10 Jul 2018

Automatic response

.
Microsoft 11 Jul 2018

Reproduced / Triaged

.
Vivek 01 Sep 2018

Asked for update

.
Microsoft 10 Sep 2018

Informed that ther will not be any bounty

.
Microsoft 14 Sep 2018

Requested details for hall of fame

.
Microsoft 06 Dec 2018

Fixed and awarded the bounty Hi Vivek, Jarek here, the Microsoft Bounty Program Manager. I wanted to let you know that while this vulnerability did not meet the bar for se ... See More

.
Vivek 07 Dec 2018

Fix confirmed

VALID






Show All Images