Open in app

Sign in

Write

Sign in

Advertisers able to identify individual consumers who visited their ads (Microsoft bug bounty)

hatich_hacker
3 min readMar 30, 2024

--

Summary

Hi everyone and welcome to my first write-up.

Today, I would like to talk about a vulnerability I found on some wired value that once exploited allowed advertises to see the email of any logged-in user that visited their ad.
Microsoft fixed this vulnerability in February 2024 and customers are already protected.

Introduction:

While browsing in outlook in order to find vulnerability I looked in my burp suite history and saw some peculiar API that returned me some string that looked like hash.

when searching for that hash in burp history I found it inside my cookie as “ANON=A=782AEBCA385B1A40A799B0B8FFFFFFFF&E=1d07&W=1” while the API returned “782AEBCA385B1A40A799B0B8FFFFFFFF” What did I do? I changed the query parameter that the API accepted and to my surprise I got different value what it means?

Wait what?

Although that was valid IDOR I can’t report that as finding because we are in the bug bounty must prove IMPACT, as far as I was concerned that value was useless ,why?
1. I removed that value from the cookie but still remained authenticated to every tested API
2. that value is just hash that doesn’t contain any PII

The journey

I was sad my first finding can’t be exploited.

I thought to myself that value can’t be useless there must be a reason why that value ended up inside my cookie , so I embarked on the long journey of finding what was its purpose.
After days of googling I found small hints that show that hash uniquely assigned to every Microsoft user as can be seen in the following picture (https://privacy.microsoft.com/en-us/privacystatement)

So it is used for advertising, but how? I kept looking…

I found few places that wrote that value is shared with advertisers in order to “prove” to them that real visitors clicked on their ads ,but just to make sure I chatted with Microsoft ads sales representative and was confirmed that I as new advertiser will be able to see those values

That’s great! Well no… because the query parameter was not email but was some another seemingly random string “puid”

Darn it I was so close …

I decided not to give up because all I need is one more IDOR.

I kept looking in my burp history and found it!!!!

When changing header with email value I was given few headers that one of them contained that puid

Does Microsoft care about your privacy?

Yes (https://www.govinfo.gov/content/pkg/CHRG-110shrg76329/html/CHRG110shrg76329.htm)

Impact

  1. Enumerate all emails that ever existed to get yourself nice list of PIIs (PUIDs in relation to their email)
  2. If you are also advertiser continue to convert PUIDs to ANIDs which will end up inside ANONs of consumers who visited your website

Timeline

Report created. — — Jan 7, 2024

Deployed fix — — — -Feb 21, 2024

Awarded — — — — -— Mar 1, 2024

Thanks for reading

video=https://youtu.be/sconpGj_MU8

Bug Bounty
Privacy
Microsoft
Idor

--

--

hatich_hacker

Written by hatich_hacker

0 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams