Misconfigured MongoDB installation left Microsoft careers site vulnerable to attack

Chris Vickery writes:

An exposed database was serving potentially arbitrary HTML through the mobile version of Microsoft’s careers page (m.careersatmicrosoft.com).

Punchkick Interactive is a mobile web development company. Microsoft relies on Punchkick to handle the database that powers m.careersatmicrosoft.com. The bad news is that, for at least the past few weeks, this backend database has been exposed to the open internet and required no authentication at all to access.

The good news is that as of February 5th, following my disclosure of the vulnerability to Punchkick and Microsoft, everything has been secured.


Read more on MacKeeper.

About the author: Dissent

Comments are closed.