EventBuilder allows by providing pre-registration and attendee-only content, Microsoft Teams and Skype for Business can work together seamlessly.
More than one million CSV/JSON files containing the personal information of people who registered for events via Microsoft Teams might be exposed, according to security researcher Bob Diachenko and information security firm Clario Tech. Phone numbers and email addresses are included in the information.
Almost 100,000 users who attended the event could be at the risk of a data breach as a result of a fault in the app.
According to a blog post published by Clarion, the security issue originated in a feature that allows hosts to record sessions for link-only access, with the data saved in Microsoft Azure Blob.
The system stored participants’ personal data in a Blob due to a setup mistake, possibly exposing it to hackers. Full names, business names, email addresses, job positions, phone numbers, and any questionnaire replies submitted during the webinar were among the data exposed, according to Clario.
The vulnerability was discovered using the Gray hat Warfare search engine, which is a public bucket searcher.
Bob Diachenko said, “The flaws are quite serious. We are glad we’ve discovered them, and not hackers, and made the company aware of the possible misuse of the data so they could fix it before anything bad happened.”
Till now it is believed that no data has been misused. “We believe that we caught the exposure before any misuse happened to this data,” said Diachenko. “We are happy that we discovered the data exposure, rather than the data leak because it would be a huge one.”
“I looked at some of the raw breach data using some of Pentest People’s in-house tools and also checked the dark web for evidence of the EventBuilder data being traded,” Liam Follin, senior service development consultant for Pentest People said.
“To date, there was no evidence that we could discover.”
Similar breaches are possible in the future, according to security experts, especially as more web apps connect to cloud storage. Because of the data they collect on participants, online events are also appealing targets for hackers.
“Other virtual event platforms should take heed of this breach to avoid exposing their own users to cyber threats” advised Follin. “Make sure that solutions are being tested properly, and that security is at the forefront of the development ethos.
“It’s easy to blame developers for these mistakes, but ultimately developers need to be given adequate training and the time with which to secure applications.”
Users and the organization who have been part of the EventBuilder needs to be cautious especially in case they receive calls or unexpected emails.
“I always highlight that nothing can be better than an educated employee: an employee who follows cyber hygiene rules and manages data responsibly – in the office and at home,” said Diachenko.