.png)
7 months ago
54 BOOK THIS SPACE FOR AD
ARTICLE ADHi everyone and welcome to my first write-up.
Today, I would like to talk about a vulnerability I found on some wired value that once exploited allowed advertises to see the email of any logged-in user that visited their ad.
Microsoft fixed this vulnerability in February 2024 and customers are already protected.
While browsing in outlook in order to find vulnerability I looked in my burp suite history and saw some peculiar API that returned me some string that looked like hash.
when searching for that hash in burp history I found it inside my cookie as “ANON=A=782AEBCA385B1A40A799B0B8FFFFFFFF&E=1d07&W=1” while the API returned “782AEBCA385B1A40A799B0B8FFFFFFFF” What did I do? I changed the query parameter that the API accepted and to my surprise I got different value what it means?
Although that was valid IDOR I can’t report that as finding because we are in the bug bounty must prove IMPACT, as far as I was concerned that value was useless ,why?
1. I removed that value from the cookie but still remained authenticated to every tested API
2. that value is just hash that doesn’t contain any PII
I was sad my first finding can’t be exploited.
I thought to myself that value can’t be useless there must be a reason why that value ended up inside my cookie , so I embarked on the long journey of finding what was its purpose.
After days of googling I found small hints that that is unique hash that is assigned to every Microsoft user as can be seen in the following picture (https://privacy.microsoft.com/en-us/privacystatement)
So it is used for advertising, but how? I kept looking…
I found few places that wrote that that value is shared with advertisers in order to “prove” to them that real visitors clicked on their ads ,but just to make sure I chatted with Microsoft ads sales representative and was confirmed that I as new advertiser will be able to see those values
That’s great! Well no… because the query parameter was not email but was some another seemingly random string “puid”
Darn it I was so close …
I decided not to give up because all I need is one more IDOR.
I kept looking in my burp history and found it!!!!
When changing header with email value I was given few headers that one of them contained that puid
Yes (https://www.govinfo.gov/content/pkg/CHRG-110shrg76329/html/CHRG110shrg76329.htm)
Report created. — — Jan 7, 2024
Deployed fix — — — -Feb 21, 2024
Awarded — — — — -— Mar 1, 2024
Thanks for reading
Bengali (Bangladesh) · 
English (United States) ·