Researchers on Monday reported that a misconfiguration caused thousands of personal records to leak of people who registered for events on Microsoft Teams via the EventBuilder event management application.
In a blog by Clario, in tandem with researcher Bob Diachenko, the team found that hundreds of thousands of large CSV-JSON files with full names, emails addresses, company names, and phone numbers were potentially leaked.
The researchers said the leak was discovered and reported on June 10 and the company addressed the issue.
EventBuilder covers event logistics so clients can focus on the content. The researchers said the data was stored on Microsoft Azure Blob Storage — Microsoft’s object storage for the cloud that Microsoft has optimized for storing massive amounts of unstructured data.
According to the researchers, the storage was supposed to be partially public for hosting recorded webinar sessions for link-only access. However, for some reason, the webinar organizers put registrant information into Blob, which meant it was open to indexing by a public bucket searcher (Grayhat Warfare), thus compromising personal information.
This incident serves as another case of general-purpose cloud storage not being secured appropriately by an application team, said Michael Isbitski, technical evangelist at Salt Security. In this case, Isbitski said the incident impacted instances of Microsoft Azure Blob Storage as opposed to Amazon S3 buckets.
“Engineering teams at EventBuilder did not properly secure sensitive information and protect it from public viewing,” Isbitski said. “The cloud providers equip organizations with functionality to report on and lock down their cloud data stores. Unfortunately, development and engineering teams don’t always consider the misuse or abuse cases of cloud data storage in application designs. This reality is sometimes a side effect of increasing pressure to deliver fast on new application functionality, and appropriate security controls are overlooked.”
Oliver Tavakoli, CTO at Vectra agreed that the EventBuilder case was an “archetypal example” of a SaaS provider not paying attention to permissions associated with cloud storage used to store customer information.
“It’s generally a bad idea to comingle data intended to be publicly available with data only intended for access by authenticated or privileged users as it requires discipline around maintaining fine-grained access control, which clearly did not happen in this case,” Tavakoli said.
Saryu Nayyar, CEO at Gurucul, added that companies should not comingle their data. Nayyar said it’s probably a case of poor design and/or implementation, but the result was that attackers had a semi-public route into attendee registration information.
“This has the potential to contribute to identity theft and phishing,” Nayyar said. “This should be a relatively easy fix, but in the meantime attendee data was exposed to attackers for download and illicit use.”