Microsoft Dynamics 365 sandbox leaked TLS certificate's private parts

Hey Redmond, is this your secret key?


Another day, another credential found wandering without a leash: Microsoft accidentally left a Dynamics 365 TLS certificate and private key where they could leak, and according to the discoverer, took 100 days to fix the bungle.

Matthias Gliwka, a Stuttgart-based software developer, discovered the slip while working with the cloud version of Redmond's ERP system.

Writing at Medium, Gliwka said the TLS certificate was exposed in the Dynamics 365 sandbox environment, designed for user acceptance testing.

Unlike the development and production servers, the sandbox gives admins RDP access, and “that's where the fun begins”.

Access from any sandbox environment yields “ a valid TLS certificate for the common name *.sandbox.operations.dynamics.com and the corresponding private key — by the courtesy of Microsoft IT SSL SHA2 CA!”.

With the certificate (which can be exported with fairly basic tools) and the private key, Gliwka said that any man-in-the-middle can see user communications in the clear, and can modify that content without detection.

Gliwka detailed extensive communications with Microsoft to explain the issue, and after his efforts to get the problem fixed proved fruitless, he contacted German tech freelancer Hanno Böck to get coverage.

Böck tried filing a bug ticket with Mozilla's bug tracker (since browsers track which certificates are trustworthy), and that got Microsoft moving. Gliwka wrote that the hole was plugged on 5 December – quite some time after his original notification to Microsoft on 17 August. ®


Keep Reading

Amazon pushes the button on Keyspaces: Cassandra lookalike to boost its NoSQL credentials

Serverless NoSQL DB to come up against open source sister

NoSQL Cassandra developer community sets sights on JDK 11 as sped-up 4.0 beta finally hits the streets

'Most stable' release yet boosts scaling speed, data observability

DataStax buries Apache hatchet and launches features to make NoSQL Cassandra faster, safer and more graphable

The project 'got kind of gangly and awkward for a while' dev relations veep tells The Reg

Didn't see that coming: DataStax emits open source Kubernetes operator for Cassandra

Although you need to hop in the Management API sidecar for the really good stuff

Kick Google all you like, Mozilla tells US government, so long as we keep getting our Google-bucks

In case you've forgotten: Google sends Mozilla about $400m a year

At Mozilla VPN stands for Vague Product News: Foundation reveals security product will launch eventually, with temporary pricing, in unspecified places

But it does have a name. 'Firefox Private Network' is out, ‘Mozilla VPN’ is in.

Mozilla says India's planned data harvest law is 'blunt' and should be caste aside

Warns that plan could lead to 'dangerous inferences' about user identity, suggests GDPR is a better model

Keen to check for 'abnormal' user behaviours? Microsoft talks insider risk, AWS imports and compliance at infosec shindig RSA

RSA Before you remove the mote from thy hacker's eye, remove the beam from the eyes of your, er, Teams

Biting the hand that feeds IT © 1998–2020