TL;DR: There are a bunch of sensitive data stored on search engine cache servers related to some Microsoft services but this is fine.

This is fine

Let’s begin at the end 🏁

As you can see I’m allowed to do publish these bugs and I could put here a list of reasons why I’m doing that but the main reason is because maybe you or your company could be impacted so you can go ahead and check.

The beginning ⭐️

I was just checking some Google search results when I saw this URL below which took my attention.

https://skydrive.live.com/embedicon.aspx/.Public/2010/march/Neenillade%20Nanagenide%20-%20MN%20Vyasa%20Rao/Elli%20Hoguve%20Nee%20-%20MD%20Pallavi%20Arun.M4A?cid=ceb8d6b27585bd79

First thing that I came to my mind when I opened this URL was why a shareable link is appearing on Google search results? Before answer this question let’s recap why and how you can get a shareable link of any OneDrive folder/file to share with your friends.

https://support.office.com/en-us/article/share-onedrive-files-and-folders-9fcc2f7d-de0c-4cec-93b0-a82024800c07

I’ve checked this entire help page and I didn’t find anywhere that anyone can find some of your shareable links on Google or any other search engine.

Searching for shareable links 🙈

That blue square with march inside and the number 4 was actually a link.

Did you noticed something different when I clicked on the blue square link? We got redirected to https://onedrive.live.com. But what is the difference between SkyDrive and OneDrive? SkyDrive is just the old name of OneDrive. If you want to know why Microsoft change the name you can check here https://en.wikipedia.org/wiki/Microsoft_OneDrive.

The point is we have an old service domain name redirecting to the new domain name and the old service can be found on Google search results. Let’s try to search on onedrive.live.com.

There are a lot of results (about 81,600) but most of them weren’t a shareable link. Maybe we can filter (inurl) by the URL query parameter named “cid” which we saw in the URL mentioned above.

Just one! No way! 😔 What a minute. Let’s take a look in the omitted results included.

Google found about 42,800 possible shareable links in 0.30 seconds and maybe one of them is a picture that you shared with your friend. Google probably hidden the results because the URLs are very similar (same domain and parameters) but their content are different. Even that Google doesn’t provide any preview we can check the content by opening the links.

The first link that I tried it was a video from some kids playing and interviewed. The video was from Brazil and the kids were speaking in Portuguese. It seems Google present the results also based in my geolocation which means probably I’m not able to really get all possible results from all possible Google cache servers.

I don’t know about you but for me this is not fine. Let me explain why by taking another example.

John the owner of this folder above created a shareable link and send to his friends believing that only them can see it but this is not true. Let’s check how I was able to find the John’s folder.

You can also target what you want to find in the shareable links as you can see above. I was able to find shared files/folders with private pictures, softwares, CD/DVD images, licenses, financial documents, passwords, etc. For me this is a security issue which needs some attention but for MSRC “the risk is low or would take significant effort to exploit” and “Microsoft has decided that it will not be fixing this vulnerability”.

Bingo! 🍀

Bing found 4.760.000 results on onedrive.live.com without any filter! 😄 This is promise let’s try filtering like we did on Google.

Using the same filter Bing found 1.950.000 and Google about 42,800 possible shareable links. Let’s see if we can find the John’s folder using Bing by searching the string “Memorial Day” like we did on Google.

Bing didn’t find the John’s folder but found only one from those 3 found by Google. Why?

I’ve compared the 3 links from and the only different which make sense to me is the permissions. We can assume that Google and Bing have different parameters to cache results.

There is no end 🔚

It seems we can find some Outlook calendars. Let’s take a look in one of them.

Supreme Trial? 🙎

I decided give it a try to find anything with password string by searching “site:live.com inurl:password”.

I was able to find some Reset your password links but nothing really scary. The strange part is Microsoft asking for something that is already in the URL. 😁

Trying Bug Bounty 💰

That’s the same thing we found before under https://outlook.live.com.

By checking some Google results I found an interesting subdomain called “safelinks.protection.outlook.com”. This time let’s check Bing first.

Only 5 results? What about Google?

About 222,000 results in 0.21 seconds. 😱 But why this matter?

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide

It looks like the ATP Safe Links are cached on Google servers. Let’s check what some of them have in common.

https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Finternal.kcl.ac.uk%2Finnovation%2FCrick%2FPhDProgramme%2Findex.aspx&data=01%7C01%7Candrea.streit%40kcl.ac.uk%7Ce941dbd341e94aeed38d08d4ce912ded%7C8370cf1416f34c16b83c724071654356%7C0&sdata=KZWybbWZGhLZueGX4px%2BDr6u4N57r30fuWqeskE0GGA%3D&reserved=0https://eur03.safelinks.protection.outlook.com/?url=helpdesk.eui.eu&data=02%7C01%7CLaura.Bechi%40eui.eu%7Cab2734792ca441d4184608d783d3cd36%7Cd3f434ee643c409f94aa6db2f23545ce%7C0%7C0%7C637122818064802683&sdata=XqdRj96A3a0mquiKW6MQU2mCjo%2B27dCU22uPK0%2F1Q0w%3D&reserved=0https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmyidentity.app.vumc.org%2Finvitation%2F&data=02%7C01%7Ctracey.m.street%40vumc.org%7Cc426e0443d4f4691fb9308d7a426da87%7Cef57503014244ed8b83c12c533d879ab%7C0%7C0%7C637158359088368561&sdata=BFFVPNC61CPJtP2f1JyIQ15Lw6cOy4RFo%2BrlCbwqqzk%3D&reserved=0

Did you get it? I’ll help you and URL decode them.

https://eur03.safelinks.protection.outlook.com/?url=https://internal.kcl.ac.uk/innovation/Crick/PhDProgramme/index.aspx&data=01|01|andrea.streit@kcl.ac.uk|e941dbd341e94aeed38d08d4ce912ded|8370cf1416f34c16b83c724071654356|0&sdata=KZWybbWZGhLZueGX4px+Dr6u4N57r30fuWqeskE0GGA=&reserved=0https://eur03.safelinks.protection.outlook.com/?url=helpdesk.eui.eu&data=02|01|Laura.Bechi@eui.eu|ab2734792ca441d4184608d783d3cd36|d3f434ee643c409f94aa6db2f23545ce|0|0|637122818064802683&sdata=XqdRj96A3a0mquiKW6MQU2mCjo+27dCU22uPK0/1Q0w=&reserved=0https://nam05.safelinks.protection.outlook.com/?url=https://myidentity.app.vumc.org/invitation/&data=02|01|tracey.m.street@vumc.org|c426e0443d4f4691fb9308d7a426da87|ef57503014244ed8b83c12c533d879ab|0|0|637158359088368561&sdata=BFFVPNC61CPJtP2f1JyIQ15Lw6cOy4RFo+rlCbwqqzk=&reserved=0

The domain of the URL is matching with the domain of the emails. It seems these are the emails that received the URL by email. So let’s find some valid @microsoft.com emails (“site:safelinks.protection.outlook.com inurl:%40microsoft.com”).

https://nam06.safelinks.protection.outlook.com/?url=https://careers.microsoft.com/i/us/en/job/692819/2020-MBA-Graduates-Marketing-GSMO-Beijing&data=02|01|Shaoying.Wang@microsoft.com|6071a332590c44350c9808d726a608ae|72f988bf86f141af91ab2d7cd011db47|1|0|637020366863905780&sdata=DvZj8PcK3eGShuNkJr9A05+0O2kaTqknT+ODsyu4k08=&reserved=0https://nam06.safelinks.protection.outlook.com/?url=https://docs.microsoft.com/en-us/dynamics365/unified-operations/financials/localizations/rus-cash-flow&data=02|01|sglass@microsoft.com|1b991791450d4418314408d6c3c6a9a1|72f988bf86f141af91ab2d7cd011db47|1|0|636911655386341020&sdata=DZ3MRV4nUKlGiqMPniSRz78dk7BGYwwDBBMMNCIWvF4=&reserved=0https://nam06.safelinks.protection.outlook.com/?url=https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Reduce-your-potential-attack-surface-using-Azure-ATP-Lateral/ba-p/291787&data=02|01|mepelley@microsoft.com|e963d686a97e4eb7771208d6656ca68c|72f988bf86f141af91ab2d7cd011db47|1|0|636807914712746157&sdata=0dtYSgtC9XpXMztKH2iJj0BVBp5oImO/8QpMrnNvOnw=&reserved=0

This is good for recon when you need a valid email for a specific domain. I didn’t research much but the other parameters seems to hide something.

Let’s try the Google query “site:sharepoint.com inurl:cid”.

SharePoint shareable links is also there.

Another service called Sway (“site:sway.com inurl:ref=Link”).

Grand Finale! 🏆

There is no need to explain anything just take a look in the screenshots below.

If you find any other interesting service and want to share please send me an email ricardo.iramar@gmail.com or twitter @ricardo_iramar.

Alguém a procura de autoconhecimento constantemente.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store