Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Misconfigured MongoDB exposed 93 million Mexican voter records

A security expert discovered a misconfigured MongoDB installation behind a Microsoft’s career portal that exposed visitors to attacks. The security expert Chris Vickery has discovered a new misconfigured MongoDB installation used by a Microsoft’s career portal. The misconfigured MongoDB installation exposed some information and enabled read/write access to the website. The database also included information on other […]

Misconfigured MongoDB exposed 93 million Mexican voter records

A security expert discovered a misconfigured MongoDB installation behind a Microsoft’s career portal that exposed visitors to attacks.

The security expert Chris Vickery has discovered a new misconfigured MongoDB installation used by a Microsoft’s career portal. The misconfigured MongoDB installation exposed some information and enabled read/write access to the website.

The database also included information on other companies. The database, which is maintained by Punchkick Interactive, a mobile development company hired by Microsoft to manage the m.careersatmicrosoft.com, was promptly secured.

“Microsoft relies on Punchkick to handle the database that powers m.careersatmicrosoft.com. The bad news is that, for at least the past few weeks, this backend database has been exposed to the open internet and required no authentication at all to access.”  Vickery wrote in a post published on the MacKeeper blog.

Vickery reported the issue to Microsoft on February 5, as proof of its severity he included a screenshot showing the name, email address, password hash, and issued tokens for Microsoft’s Global Employment Brand Marketing Manager, Karrie Shepro. Punchkick fixed the issue in just an hour.

“The good news is that as of February 5th, following my disclosure of the vulnerability to Punchkick and Microsoft, everything has been secured.”

MongoDB vulnerable

The misconfigured database could be exploited by hackers to inject malicious code in the web pages used for the job listings and run watering hole attacks.

“The ability to craft arbitrary HTML into an official Microsoft careers webpage is, to say the least, a powerful find for a would-be malicious hacker. This situation is the classic definition of a potential watering hole attack.” Vickery added.

An attacker can use malicious exploit kits to compromise vulnerable visitors’ machines or run a phishing campaign against people searching for a job opportunity at Microsoft.

“In that scenario, any number of browser exploits could be launched against unsuspecting job-seekers. It would also be a fantastic phishing opportunity, as people seeking jobs at Microsoft probably tend to have higher value credentials,” Vickery added.

This incident demonstrates once again the importance of a proper security posture and the efficiency of the patch management process implemented by a company, even when dealing with third-party services.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – MongoDB , hacking)