{"id":1813,"date":"2016-12-13T09:51:00","date_gmt":"2016-12-13T08:51:00","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=1813"},"modified":"2021-07-05T18:37:52","modified_gmt":"2021-07-05T16:37:52","slug":"flaw-in-webinar-form-reveals-microsoft-customers-names","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2016\/12\/13\/flaw-in-webinar-form-reveals-microsoft-customers-names\/","title":{"rendered":"Flaw in webinar form reveals Microsoft customers names"},"content":{"rendered":"

[German<\/a>]Microsoft offers Webinars, online courses held via Internet –\u00a0 that's good. Unfortunately there is a security flaw in a German webinar registration form offered by Microsoft Germany, that reveals the name of Microsoft's customers. And there are \"other\" stupid things, I discovered, inspecting the form. The most nasty thing: One of my blog readers has reported that flaw to Microsoft some time ago \u2013 without a reaction. To I decided to write a blog post \u2013 perhaps it will trigger a reaction. Addendum:<\/strong> I received a feedback<\/a> from Microsoft Germany – it's not a flaw, it's a feature by design. But the cases I've outlined below\u00a0leads to a discussion at Microsoft Germany whether this feature should be removed for privacy protection.<\/p>\n

<\/p>\n

Yesterday I posted this article<\/a> within my German blog, announcing a webinar about \"Privacy and data protection with the cloud\", held on 12\/13\/2016 by some MVP colleagues. This night I got a user comment, informing me about a security flaw in Microsoft's registration form. Here is, what the blog reader told me in German:<\/p>\n

Hi Guenter,
\ngo to the registration form (https:\/\/resources.office.com\/DE-O365-WBNR-FY17-12Dec-13-Datenschutz-Cloud277753_RegistrationShortForm-Office.html?wt.mc_id=AID558536_QSG_PR_127294) and enter at least two characters within the company text box (\u201eName Ihres Unternehmens\"). A list of companies, already attending the webinar will be shown \"Zwinkerndes. I stumbled upon that flaw weeks ago and reported it to Microsoft Germany \u2013 but till now without a reaction or feedback.<\/p><\/blockquote>\n

Uh, such comments are always triggering a \"need to investigate\" reflex here, so I fired up a browser this night and tried to check it myself \u2026<\/p>\n

A tale of mystery<\/h3>\n

Ok, first I uses Slimjet browser (a Google Chrome clone) to visit Microsoft registration site for the webinar announced above. I was facing a redirection to about:blank<\/em> and got a blank browser window.<\/p>\n

\"Webinar<\/p>\n

The text above is just a funny joke, inserted by me \u2013 for my German readers (it states, that the color has been exhausted, so \"we need to draw with on with\" \u2013 but the housekeeper is on the search for a new color can.<\/p>\n

Because my Slimjet browser made trouble within the last days (I have had a certificate problem, I described within Slimjet-Browser auf Version 12.0.12.0 aktualisiert \u2013 Zertifikatsfehler ausgemerzt<\/a>), I used other browsers to inspect the registration site. Although I'm a poor blogger, I 'm able to a couple of browser (mostly portable version).<\/p>\n

\"Webinar<\/p>\n

The screenshot above has been shown within Internet Explorer \u2013 stating, that the address entered was wrong.<\/p>\n

\"Webinar<\/p>\n

Addendum:<\/em> Microsoft claimed, that changing the registration process worldwide was responsible for the behavior outlined above.<\/p>\n

But Google Chrome 55 \u2013 and also Firefox 50 \u2013 showed me the registration form for the webinar coming today. Uh, a pretty crazy thing, isn't it? I haven't tried Edge yet. Then I checked my mail to find out, my yesterday registration for the webinar was accepted.<\/p>\n

\"Anmeldebest\u00e4tigung\"<\/p>\n

Microsoft confirms also that \"privacy\" is on the scope, but I was puzzled, to see Microsoft in Redmond was responsible, although I registered at Microsoft Germany GmbH. But wait, things are getting even more nasty.<\/p>\n

Let's try a 2nd registration for a webinar<\/h3>\n

Then I took a new webinar and tried to sign up \u2013 and suddenly was puzzled. The behavior was visible in Slimjet browser and also in Firefox (the screenshot below is the sign up page for the cloud data protection webinar). \"Datenschutz?<\/p>\n

After entering two letters or digits into the company names text box, a drop-down list with company names of I previous applicants (I guess) is. First I thought, a kind of geo location filter, based on my IP address was used. But experimenting a bit, I was able to locate customers world wide.<\/p>\n

I found names of individual, running an IT service company, noticed, that also Russian customers in St. Petersburg like to join Microsoft webinars. I could identify arms dealer, companies running infrastructure in France or in GB. Well, I was also surprised, that a backyard burger restaurant, located in Memphis, Tennessee, are joining webinars. Uh \u2026<\/p><\/blockquote>\n

It was a kind of chat roulette to try different combination of two or 3 characters to find new customers.<\/p>\n

First I've decided to hold back this information. But, due to the fact, that my blog reader told me, that his attempt to inform Microsoft didn't provoke any reaction \u2013 and because thousands of users probably noticed this flaw, I decided to go public. Maybe we will see now a reaction from Microsoft. My recommendation is: Enter 'Company 4711' into the companies text box within the sign up form. Microsoft has your E-Mail-Adresse to contact you. Maybe someone at Microsoft will stumble upon many 'Company 4711' applicants and gets curious.<\/p><\/blockquote>\n

BTW: The US sign up site for webinars doesn't show this behavior so far.<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Microsoft offers Webinars, online courses held via Internet –\u00a0 that's good. Unfortunately there is a security flaw in a German webinar registration form offered by Microsoft Germany, that reveals the name of Microsoft's customers. And there are \"other\" stupid things, … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[71],"tags":[65,261,69,575],"class_list":["post-1813","post","type-post","status-publish","format-standard","hentry","category-computer","tag-microsoft","tag-privacy","tag-security","tag-webinar"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/1813","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=1813"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/1813\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=1813"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=1813"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=1813"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}