RATHER EMBARRASSINGLY for Microsoft, an element of the company's website has been using database that was leaking personal information.
The problem lay in a Redmond job portal that was at risk because of some less than great coding.
Microsoft did not even find this out for itself, but was alerted to it by security researcher Chris Vickery who said in a blog post on the MacKeeper website that the database connection was not write-protected and therefore open to external malevolence.
The problem is that Microsoft uses a mobile web development firm called Punchkick Interactive to handle the database that powers m.careersatmicrosoft.com and that it had a back end that was open and available to all. MacKeeper reckons that this went on for a few weeks, but was fixed shortly after Microsoft and Punchkick were informed.
"The good news is that as of February 5th, following my disclosure of the vulnerability to Punchkick and Microsoft, everything has been secured," Vickery said.
"All indications are that the database, a MongoDB instance, was not write-protected. You probably see where this is going. During the exposed timeframe an attacker could have modified the database, and thus the HTML code, of job listing pages being served through m.careersatmicrosoft.com."
Credit is given to Punchkick for fixing the problem quickly, but Vickery suggested that Microsoft needs to make a more measured study of its web real estate. This is something that we thought the firm was already doing.
"Punchkick gets points in my book for the quick turnaround, strong password hashing, and generally being very nice. This was an example of excellent incident response," he said.
"The lesson to learn here is that if you're a big-name player like Microsoft, it's acceptable for third parties to handle mundane operations like job posting web pages. But be aware that a hole in the third-party's security can quickly become a hole in your security."
MongoDB, the database, took rather a pasting in the first version of this article, but the company behind it contacted us to say that this was not fair.
"Recently a blog post was published that claimed a user had not properly secured their instance of MongoDB and was therefore at risk. As the article explains, the potential issue is a result of how a user might configure their deployment without security enabled. There is no security issue with MongoDB - extensive security capabilities are included with MongoDB," said Kelly Stirman, VP of Strategy at MongoDB.
"We encourage all users to follow the guidelines we prescribe for security. Security best practices are summarised here, or customers can contact MongoDB support. This is an important opportunity for everyone to ensure they are following security best practices." µ
Prepare to be briefed by the shouty kitten wot finks it's a soldier
Or people have just stopped caring
A judge is the one who knocks in drugs case
New site is 'hosted on multiple cloud servers to prevent blockade'