XSS vulnerability found in Microsoft Academic search portal

Researcher takes issue with Security Response Center’s lack of communication

A client-side cross-site scripting vulnerability in the Microsoft Academic search portal left users open to session hijacking, non-persistent phishing attacks, and external redirects to malicious sources, researchers have found.

Launched in 2016 and updated on a weekly basis, Microsoft Academic features academic content from more than 170 million publications covering nearly 200,000 fields of study.

A flaw in the application was discovered by Vulnerability Lab security researcher Lawrence Amer back in April 2017.

“As with many researchers, PortSwigger’s Burp Suite is our first choice when it comes to finding these detailed vulnerabilities,” Amer told The Daily Swig.

“After doing a lot of ‘Burping’, I discovered that Microsoft Academic’s API filter was vulnerable to cross-site scripting.”

According to Amer, remote attackers could exploit the app via vulnerable requests to api/search/Getfilters, which bypassed the XSS filters.

“This allows the remote attacker to inject and execute client-side cross-site scripting payloads,” he said. “The request method to inject is GET and the attack vector is non-persistent.”

Successful exploitation of the vulnerability could result in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious sources, and non-persistent manipulation of affected or connected application modules.

While Amer said the Microsoft Security Response Center team was quick to acknowledge the vulnerability in April last year, he took issue with the team’s lack of subsequent communication.

“After a couple of months I emailed them with the case number, hoping to track this report,” he said. “They replied after more than two weeks saying they were sorry for the delay.”

Microsoft eventually responded to a further update request on June 7, with the security team stating: “The development team is aware of the issue, and are scheduled to release a fix soon. Once the fix has been published and verified, I will contact you.”

In August, some four months after the vulnerability was identified, Amer discovered that the flaw had indeed been fixed. The researcher, however, received no further communications from the Microsoft team.

“I confirmed with them that the vulnerability had been fixed, with no response or acknowledgement,” he said. “Microsoft didn’t even say ‘thank you for your work’. Unfortunately, they ignored [my message] again.”