Skip to main content

A Security Engineer’s Quest to Find 365 Bugs in Microsoft Office 365

| Venita Thomas

Have you ever purchased software but asked yourself, “I wonder if there are any known bugs in here and does the company even know?” Well, a little known fact is that they often do. Many websites, organizations, and software developers offer a deal called the bug bounty program. Individuals who participate can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

A reputable security engineer by day has become a bug hunter by night and is on a journey to find 365 security bugs in Microsoft Office 365…Get it… “365!” He is currently at 310 and has no intentions of stopping. Bugs can range from mildly annoying to gravely compromising, so the sooner they are caught, the better.

One of the bugs identified allowed a takeover and compromise of every website created with Microsoft’s Power Portals and the security engineer thought that was very disturbing. However another bug that he found was in Microsoft Teams and Skype for Business. They were leaking information like a dump of a person’s at-keyboard status. This allowed the security engineer to find out any user status from Office 365, regardless of their organization. He could tell if their status was set to offline, online, out sick, be right back, or do not disturb. Wow! Now that is very disturbing!

Bug bounty programs are on the rise, with big players like Microsoft, Apple, and even the Department of Homeland Security. Recreational bug hunting was once a hobby, but now a legitimate side-hustle.

Resource: https://www.vice.com/en/article/akdene/a-security-engineers-quest-to-find-365-bugs-in-microsoft-office-365