Broken Access Control in bingmapsportal !!!

Hello everyone,

This blog post is going to be about the 3rd vulnerability I reported to Microsoft.

You can manage your Bing maps API keys in bingmapsportal and while updating the name of an application something caught my eye.

POC :-

Whenever you change something like name of the application etc, the website is using a PUT request to perform the update.

It looks like this.


As you can see, it is sending JSON data like this

{“applicationId”:1707630,”applicationName”:”testing xml”,”applicationUri”:null,”ticket”:”bjc7REBGwm6NNTL3Ot5R~INcJpFU5r-KxjNtDZK2Nkg~ApWBovtZEhj4-Uodq6qTluDURLTLmTpJVOTl_V-4l8f6fnFO1KQlIlmLAijCJgXL”,”accountId”:1418767,”keyTypeId”: 2,“keyType”:”Basic”,”keySubtypeId”:39,”keySubtype”:”Universal Windows App”,”validFrom”:”12/23/2015″,”validTo”:”None”,”isMutable”:true,” showButtonTextEnable”:false,”keyStatus”:”Enabled”,”showKeyEnableDisableButton”:true}

The difference between a PUT and a POST request is that put overwrites whatever is there previously.

The things that caught my eyes were applicationId and accountId. What if I change the application ID what will happen? Who knows let’s try.

So, I asked my sister to use her outlook account and created an Application key with her account.

I create an Application named bounty_1 in my Account and bounty_2 in her account.

Then I intercepted a PUT request with my sister’s account and changed the applicationId from bounty_2’s Application ID to bounty_1’s Application ID

and the response was “Key updated successfully“.

I was like WHAT !!!! and refreshed my Account.

To my surprise the application got transferred from my account to my sister’s account.

The backend is not validating whether the attacker owns the application or not.

I reported this to Microsoft and it’s patched now.

Timeline :-

23–12–2015 — Initial report sent.

Done some follow-up in the next couple of days

05–01–2016 — asked for any updates.

06–01–2016 — got reply saying no updates.

21–01–2016 — Asked once more for any updates

22 -01–2016 — Got reply saying the Issue is fixed

I will be listed in Microsoft’s HALL OF FAME for the month of January 2016

Thank you for reading.

Feel free to contact me if you have any doubts.

Peace :D

Originally published at on January 23, 2016.

A collection of write-ups from the best hackers in the…

Sai Krishna Kothapalli

Written by

InfoSec Write-ups
Sai Krishna Kothapalli

Written by

Founder/CEO Hackrew | Security Researcher | Indian | Student @ IIT Guwahati

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade
A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store