some time
. . . the hole was plugged on 5 December – quite some time after his original notification to Microsoft on 17 August.
Hey, some of us are slow readers.
Another day, another credential found wandering without a leash: Microsoft accidentally left a Dynamics 365 TLS certificate and private key where they could leak, and according to the discoverer, took 100 days to fix the bungle. Matthias Gliwka, a Stuttgart-based software developer, discovered the slip while working with the …
Gliwka detailed extensive communications with Microsoft to explain the issue
Ohhh, so I am not the only one having trouble with MS Support, then ...
Customer: "Oh, I found the private key to xxx.yyy on the xxx.yyy system I use for validation."
MS to customer: " Oh! [types privet kay into knowledge base]" Errrm, give me a minute .... [call put on hold]"
MS to Second line: What is a "private key"?
MS to Second line: "Oh, some people own islands south of County Dade, rich blokes ...."
MS to Second line: "Hmmmm, ok, so nothing serious ? Why is this guy so worked up about it ?"
MS to customer: "Thank you very much for that information, we will contact our travel agent and get back to you as soon as possible. Thanks for you interest in Microsoft products, have a nice day, good bye. [call cut off]"
... Microsoft did get this wrong, but as a mitigating factor, this does only affect URLs which end in ".sandbox.operations.dynamics.com".
You could just as well register any other similar-looking domain - for example "sandbox-operations-dynamics.com" - and get a perfectly legit LetsEncrypt certificate for it.
Presumably each company using Dynamics has its own sandbox, and that may have company-confidential information in it. Since it's a wildcard certificate, company A can get the certificate from a.sandbox.operations.dynamics and use it to MITM traffic for company B at b.sandbox.operations.dynamics.
This wouldn't have been an issue if they'd given each customer their own key and single-server certificate. It is an issue because they decided to reuse one wildcard certificate for all customers.
> It is an issue because they decided to reuse one wildcard certificate for all customers.
For a test environment, not production. Some people seem to have forgotten what "sandbox" means.
Possibly MS should have made the domain(s) something like:
a.if-you-put-real-data-in-test-its-your-problem.operations.dynamics
b.if-you-put-real-data-in-test-its-your-problem.operations.dynamics
and so on, just to make it clear.
Almost all companies copy at least some of the real data from the production DB into the sandbox.
Many put a full (outdated) clone, because it's the easiest way to get a test DB containing a lot of data that's similar enough to production to show up bugs that appear at production scale and special-case data.
And it's their private sandbox, so it's fine, right?
>> Some people seem to have forgotten what "sandbox" means.
> Well, it doesn't mean "test",
In the context of dynamics CRM, MS states:
"Free Test instance and Paid Test instance types have been renamed to Sandbox instances."
this comes under "know your tools".
> unless this is MS once again ignoring what meaning of a word is agreed-on by the rest of the world
That would be the rest of the world excluding wikipedia and its editors, who also define it as "a testing environment" ?
Regardless, a more universal definition of sandboxes is that they are a secure place to play because keep stuff _in_ and stop it getting _out_ (and affecting "real" stuff). This is emphatically and completely different from being a secure place that stops stuff getting _in_. If in doubt as to the importance of understanding the difference, ask a lobster.
Here is another part of the story concerning US "cloudization" program Cloud First. They finally got MS Dynamics serving various US government agencies including defense. Whether this flaw in question affects US government actually does matter. The cloud was and is and will be the resource for such flaws simply because it is sharing environment.
Another piece of info for cloud lovers - US government requires two-factor authentication which Dynamics does not provide, at least they do not mention that in particular. Once I found one CIA guy post of LinkedIn security group . The guy was proved that the agency works in cloud now ... Errrrr... Good luck spooky boy!!