Vulnerability has now been addressed in the Microsoft Teams add-on
The personal details of more than 100,000 people who attended online events could be at risk due to a security flaw in event management application EventBuilder.
According to security researcher Bob Diachenko and infosec firm Clario Tech, more than million records from thousands of CSV/JSON files containing the personal information of individuals who registered for events via Microsoft Teams, could be exposed.
The data includes phone numbers and email addresses, the researchers said.
EventBuilder allows organizations to create webinars and other events – primarily using Microsoft Teams and Skype for Business – by providing integrated functionality such as pre-registration and attendee-only content.
The security flaw, which has now been remediated, arose in a feature that allows hosts to record sessions for link-only access, with the data stored in Microsoft Azure Blob, according to a blog post published by Clario.
A configuration error caused the system to store attendees’ personal data in a Blob, potentially exposing it to cybercriminals. According to Clario, data exposed included full names, email addresses, company names, job titles, phone numbers, and any questionnaire responses provided during the webinar.
The flaw was uncovered using a public bucket searcher, the Grayhat Warfare search engine.
“The flaws are quite serious. We are glad we’ve discovered them, and not hackers, and made the company aware of the possible misuse of the data so they could fix it before anything bad happened,” Diachenko told The Daily Swig.
So far, Diachenko and Clario believe no data has been misused. “We believe that we caught the exposure before any misuse happened to this data,” said Diachenko. “We are happy that we discovered the data exposure, rather than the data leak, because it would be a huge one.”
This is borne out by analysis from UK security firm Pentest People. “I looked at some of the raw breach data using some of Pentest People’s in-house tools and also checked the dark web for evidence of the EventBuilder data being traded,” Liam Follin, senior service development consultant for Pentest People. told The Daily Swig.
“To date, there was no evidence that we could discover.”
However, security experts warn that similar breaches could happen in the future, especially as more web applications connect to cloud storage. Online events are also attractive targets to cybercriminals, due to the data they gather on attendees.
“Other virtual event platforms should take heed of this breach to avoid exposing their own users to cyber threats” advised Follin. “Make sure that solutions are being tested properly, and that security is at the forefront of the development ethos.
“It’s easy to blame developers for these mistakes, but ultimately developers need to be given adequate training and the time with which to secure applications.”
Organizations, or individuals, that have used EventBuilder should also be cautious, especially if they receive unexpected emails or calls.
“I always highlight that nothing can be better that an educated employee: an employee who follows cyber hygiene rules and manages data responsibly – in the office and at home,” said Diachenko.
Pentest People’s Follin also advises organizations to invest in dark web monitoring, as this can detect breaches and emerging threats before data falls into the hands of criminals.