[German]Microsoft offers Webinars, online courses held via Internet – that's good. Unfortunately there is a security flaw in a German webinar registration form offered by Microsoft Germany, that reveals the name of Microsoft's customers. And there are "other" stupid things, I discovered, inspecting the form. The most nasty thing: One of my blog readers has reported that flaw to Microsoft some time ago – without a reaction. To I decided to write a blog post – perhaps it will trigger a reaction. Addendum: I received a feedback from Microsoft Germany – it's not a flaw, it's a feature by design. But the cases I've outlined below leads to a discussion at Microsoft Germany whether this feature should be removed for privacy protection.
Advertising
Yesterday I posted this article within my German blog, announcing a webinar about "Privacy and data protection with the cloud", held on 12/13/2016 by some MVP colleagues. This night I got a user comment, informing me about a security flaw in Microsoft's registration form. Here is, what the blog reader told me in German:
Hi Guenter,
go to the registration form (https://resources.office.com/DE-O365-WBNR-FY17-12Dec-13-Datenschutz-Cloud277753_RegistrationShortForm-Office.html?wt.mc_id=AID558536_QSG_PR_127294) and enter at least two characters within the company text box („Name Ihres Unternehmens"). A list of companies, already attending the webinar will be shown . I stumbled upon that flaw weeks ago and reported it to Microsoft Germany – but till now without a reaction or feedback.
Uh, such comments are always triggering a "need to investigate" reflex here, so I fired up a browser this night and tried to check it myself …
A tale of mystery
Ok, first I uses Slimjet browser (a Google Chrome clone) to visit Microsoft registration site for the webinar announced above. I was facing a redirection to about:blank and got a blank browser window.
The text above is just a funny joke, inserted by me – for my German readers (it states, that the color has been exhausted, so "we need to draw with on with" – but the housekeeper is on the search for a new color can.
Advertising
Because my Slimjet browser made trouble within the last days (I have had a certificate problem, I described within Slimjet-Browser auf Version 12.0.12.0 aktualisiert – Zertifikatsfehler ausgemerzt), I used other browsers to inspect the registration site. Although I'm a poor blogger, I 'm able to a couple of browser (mostly portable version).
The screenshot above has been shown within Internet Explorer – stating, that the address entered was wrong.
Addendum: Microsoft claimed, that changing the registration process worldwide was responsible for the behavior outlined above.
But Google Chrome 55 – and also Firefox 50 – showed me the registration form for the webinar coming today. Uh, a pretty crazy thing, isn't it? I haven't tried Edge yet. Then I checked my mail to find out, my yesterday registration for the webinar was accepted.
Microsoft confirms also that "privacy" is on the scope, but I was puzzled, to see Microsoft in Redmond was responsible, although I registered at Microsoft Germany GmbH. But wait, things are getting even more nasty.
Let's try a 2nd registration for a webinar
Then I took a new webinar and tried to sign up – and suddenly was puzzled. The behavior was visible in Slimjet browser and also in Firefox (the screenshot below is the sign up page for the cloud data protection webinar).
After entering two letters or digits into the company names text box, a drop-down list with company names of I previous applicants (I guess) is. First I thought, a kind of geo location filter, based on my IP address was used. But experimenting a bit, I was able to locate customers world wide.
I found names of individual, running an IT service company, noticed, that also Russian customers in St. Petersburg like to join Microsoft webinars. I could identify arms dealer, companies running infrastructure in France or in GB. Well, I was also surprised, that a backyard burger restaurant, located in Memphis, Tennessee, are joining webinars. Uh …
It was a kind of chat roulette to try different combination of two or 3 characters to find new customers.
First I've decided to hold back this information. But, due to the fact, that my blog reader told me, that his attempt to inform Microsoft didn't provoke any reaction – and because thousands of users probably noticed this flaw, I decided to go public. Maybe we will see now a reaction from Microsoft. My recommendation is: Enter 'Company 4711' into the companies text box within the sign up form. Microsoft has your E-Mail-Adresse to contact you. Maybe someone at Microsoft will stumble upon many 'Company 4711' applicants and gets curious.
BTW: The US sign up site for webinars doesn't show this behavior so far.
Advertising
Wow, this is scary.
Were they able to fix the issue?
or they are still calling it a design feature?
P.S: I am glad US signup doesn't have this feature!
They told me "it was by design" – but they are discussing now (after I pointed out the implications) to remove this feature". Don't know, whether they came to a final decision or not.