TL;DR: There are a bunch of sensitive data stored on search engine cache servers related to some Microsoft services but this is fine.
Let’s begin at the end 🏁
I tried to report what I’m going to describe in this post three times and got the email below as final answer.
As you can see I’m allowed to do publish these bugs and I could put here a list of reasons why I’m doing that but the main reason is because maybe you or your company could be impacted so you can go ahead and check.
The beginning ⭐️
I don’t really remember what I was looking for but for sure I wasn’t trying to find any bugs in any kind of Microsoft services because I’ve already had some problems to report something simple to MSRC (Microsoft Security Response Center).
I was just checking some Google search results when I saw this URL below which took my attention.
First thing that I came to my mind when I opened this URL was why a shareable link is appearing on Google search results? Before answer this question let’s recap why and how you can get a shareable link of any OneDrive folder/file to share with your friends.
I’ve checked this entire help page and I didn’t find anywhere that anyone can find some of your shareable links on Google or any other search engine.
Searching for shareable links 🙈
Before trying to search on Google for more shareable links I’ve noticed the folder names in the https://skydrive.live.com URL and I though that maybe I can navigate through the folders by removing the file name only.
That blue square with march inside and the number 4 was actually a link.
Did you noticed something different when I clicked on the blue square link? We got redirected to https://onedrive.live.com. But what is the difference between SkyDrive and OneDrive? SkyDrive is just the old name of OneDrive. If you want to know why Microsoft change the name you can check here https://en.wikipedia.org/wiki/Microsoft_OneDrive.
The point is we have an old service domain name redirecting to the new domain name and the old service can be found on Google search results. Let’s try to search on onedrive.live.com.
There are a lot of results (about 81,600) but most of them weren’t a shareable link. Maybe we can filter (inurl) by the URL query parameter named “cid” which we saw in the URL mentioned above.
Just one! No way! 😔 What a minute. Let’s take a look in the omitted results included.
Google found about 42,800 possible shareable links in 0.30 seconds and maybe one of them is a picture that you shared with your friend. Google probably hidden the results because the URLs are very similar (same domain and parameters) but their content are different. Even that Google doesn’t provide any preview we can check the content by opening the links.
The first link that I tried it was a video from some kids playing and interviewed. The video was from Brazil and the kids were speaking in Portuguese. It seems Google present the results also based in my geolocation which means probably I’m not able to really get all possible results from all possible Google cache servers.
I don’t know about you but for me this is not fine. Let me explain why by taking another example.
John the owner of this folder above created a shareable link and send to his friends believing that only them can see it but this is not true. Let’s check how I was able to find the John’s folder.
You can also target what you want to find in the shareable links as you can see above. I was able to find shared files/folders with private pictures, softwares, CD/DVD images, licenses, financial documents, passwords, etc. For me this is a security issue which needs some attention but for MSRC “the risk is low or would take significant effort to exploit” and “Microsoft has decided that it will not be fixing this vulnerability”.
How about the Microsoft search engine called Bing.
Bing found 4.760.000 results on onedrive.live.com without any filter! 😄 This is promise let’s try filtering like we did on Google.
Using the same filter Bing found 1.950.000 and Google about 42,800 possible shareable links. Let’s see if we can find the John’s folder using Bing by searching the string “Memorial Day” like we did on Google.
Bing didn’t find the John’s folder but found only one from those 3 found by Google. Why?
I’ve compared the 3 links from and the only different which make sense to me is the permissions. We can assume that Google and Bing have different parameters to cache results.
There is no end 🔚
I had the intuition that Skydrive/Onedrive wasn’t the only service affected and decide to search on Google the query “site:live.com inurl:cid -site:onedrive.live.com -site:skydrive.live.com” to find any other vulnerable service.
It seems we can find some Outlook calendars. Let’s take a look in one of them.
Supreme Trial? 🙎
I decided give it a try to find anything with password string by searching “site:live.com inurl:password”.
I was able to find some Reset your password links but nothing really scary. The strange part is Microsoft asking for something that is already in the URL. 😁
Trying Bug Bounty 💰
Instead trying random services I’ve started target the domains described here https://www.microsoft.com/en-us/msrc/bounty-microsoft-cloud. Let’s try the Google query “site:outlook.office365.com inurl:calendar”.
That’s the same thing we found before under https://outlook.live.com.
By checking some Google results I found an interesting subdomain called “safelinks.protection.outlook.com”. This time let’s check Bing first.
Only 5 results? What about Google?
About 222,000 results in 0.21 seconds. 😱 But why this matter?
It looks like the ATP Safe Links are cached on Google servers. Let’s check what some of them have in common.
Did you get it? I’ll help you and URL decode them.
The domain of the URL is matching with the domain of the emails. It seems these are the emails that received the URL by email. So let’s find some valid @microsoft.com emails (“site:safelinks.protection.outlook.com inurl:%40microsoft.com”).
This is good for recon when you need a valid email for a specific domain. I didn’t research much but the other parameters seems to hide something.
Let’s try the Google query “site:sharepoint.com inurl:cid”.
SharePoint shareable links is also there.
Another service called Sway (“site:sway.com inurl:ref=Link”).
Grand Finale! 🏆
Probably there much more Microsoft services that you can find through different search engines but this will be the grand finale service, broadcast.skype.com.
There is no need to explain anything just take a look in the screenshots below.