A critical security vulnerability was identified within Microsoft’s Events platform, potentially allowing unauthorized access to users’ personal information stored in both event registration and waitlist databases. This flaw, discovered by a 15-year-old security researcher known as Faav, exposed sensitive data such as full names, email addresses, phone numbers, and, in certain instances, physical addresses. Upon responsible disclosure, Microsoft promptly addressed and patched the vulnerability.
Discovery and Initial Investigation
The investigation commenced when Faav examined the `events.microsoft.com` subdomain, leading to the identification of several API endpoints on the `msevents.microsoft.com` domain. Initial tests on various endpoints did not yield sensitive data. However, a breakthrough occurred upon discovering an OData injection flaw in the `/api/GetEvents` endpoint. Despite this finding, the endpoint only returned non-sensitive, public event information and generated errors when attempts were made to access other data tables, such as accounts or contacts.
A similar injection vulnerability was found in another endpoint, `/api/GetEventCustomRegistrationFields`, which permitted the enumeration of all Microsoft events but did not expose user data.
Exploitation of the Vulnerability
The pivotal discovery was made within a POST endpoint named `/api/CheckEventRegistration`, designed to verify if a user’s email was already registered for a specific event. By injecting malicious payloads into the `email` and `eventId` fields, the system could be manipulated.
Utilizing a specific OData injection technique, it was revealed that the endpoint made two separate requests to two different databases. By carefully crafting the input, each database could be targeted individually.
One injection facilitated the enumeration of the entire Waitlist database, containing fields such as `fullname`, `telephone1`, `address1_line1`, `company`, and email addresses, including many from government and corporate domains.
By reversing the injection technique, access was gained to the second database, the Event Registration list. This database contained personal details like first name, last name, phone number, company name, and country. Some events even included custom fields for Partner IDs and Tenant IDs.
Notably, there were no rate limits in place, meaning an attacker could have scripted the extraction of all data from both databases.
Disclosure and Remediation
After successfully demonstrating the ability to leak this information, Faav ceased further testing and reported the findings to the Microsoft Security Response Center (MSRC) on July 23, 2025. Microsoft acknowledged the issue and completed a fix by August 26, 2025.
Implications and Recommendations
This incident underscores the importance of robust security measures in web applications, especially those handling sensitive user data. Organizations are advised to:
– Implement stringent input validation to prevent injection attacks.
– Enforce rate limiting to deter automated data extraction.
– Regularly audit and monitor API endpoints for potential vulnerabilities.
– Encourage and support responsible disclosure programs to identify and address security flaws promptly.
By adopting these practices, organizations can enhance their security posture and protect user data from unauthorized access.
