Not just Apple- Microsoft also left the keys to their kingdom exposed

Reading time icon 2 min. read


Readers help support MSPoweruser. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help MSPoweruser effortlessly and without spending any money. Read more

We posted recently on a number of serious security snafus by Apple which would give knowledgeable people easy access to your PC or even home.

As is often the case that is just tempting fate however, as it turns out Microsoft had its own very serious security bungle, and unlike Apple they were very slow to respond to the issue.

ITNews reports that software developer Matthias Gliwka found Microsoft included a  so-called wildcard transport layer security (TLS) certificate that included a private key when setting up a sandbox testing environment for Dynamics 365, Microsoft’s Customer Relationship Manager and  Enterprise Resource Planning software. The key when exported allowed any hacker to decrypt traffic scrambled with the digital credential and impersonate the server, exposing customer communications without being detected. It also covered all *.sandbox.operations.dynamics.com domains (even for other companies), meaning the certificate would have access to all Dynamics 365 sandbox environments. Sandboxes, used for testing, often contain a full mirror of the final database.

Of course, every company makes mistakes, but Microsoft’s slow response to the issue was the part which was really inexcusable. Gliwka reported the vulnerability to Microsoft’s security response centre (MSRC) in the middle of August but Microsoft did not think the issue met “the bar for security servicing”, because it believed an attacker would require admin credentials. Gliwka made further attempts until October, when he publicly asked Microsoft on twitter about the problem. It was only then when he was told it would be fixed soon.

Despite this assurance, however, Microsoft did not revoke the leaked Dynamics 365 certificate until German media became involved in November, and a journalist opened a ticket on Mozilla’s bug tracker system.

Microsoft only finished resolving the issue last week, a full 100 days after the first report.

As mentioned earlier, every company makes errors, but they only turn into mistakes if you refuse to fix them.  Given that CRM databases contain a huge amount of data, usually of the general public, such a lax attitude seems rather difficult to excuse, and we hope the company can do better in the future.

Read more detail about the issue at Gliwka’s Medium post here.

More about the topics: Dynamics 365, microsoft, security

Leave a Reply

Your email address will not be published. Required fields are marked *