Glitch in EventBuilder put 100 000 users’ personal data at risk
Security company Clario Tech, in conjunction with cyber security researcher Bob Diachenko, discovered a vulnerability within EventBuilder, a virtual events integration tool for Microsoft.
Clario notified EventBuilder of the danger earlier this year, and the popular webinar tool, which integrates with Microsoft Teams, has now closed the exposure.
Exposing personal details
JSON files are used as the syntax for storing and exchanging the data, and CSV is a plain text format with a series of values separated by commas.
The data was stored on Microsoft Azure Blob Storage, Microsoft’s object storage solution for the cloud. The storage was partially public to host recorded sessions for link-only access.
Gartner defines blobs (binary large objects) as a term used to describe the handling and storage of long strings of data by database management systems.
However, the organisers of the webinars inadvertently included the information of users who registered in the blob, putting their personal information at potential risk from bad actors around the world.
According to Clario, EventBuilder has grown in popularity during global lockdowns as many events have switched to a virtual format.
“It is widely used by Microsoft and is integrated with Teams,” said Diachenko. “This data exposure is an interesting case study in how even the most advanced technology companies can expose themselves to data vulnerabilities.”
Clario estimates that a minimum of 100 000 individuals have been affected by this exposure.
“Anyone who has registered with EventBuilder should take the proper steps to protect their personal information including installing credible cyber security software featuring identity protection and dark Web monitoring.”
This data exposure is an interesting case study in how even the most advanced technology companies can expose themselves to data vulnerabilities.Bob Diachenko
Mykola Tymkiv, COO at Clario, says data exposures are preventable with the appropriate measures in place.
“Any company can avoid finding themselves in such a dangerous and vulnerable situation by first, implementing proper access rules and only allowing authorised personnel to access sensitive information. Second, if a system doesn’t require authentication, never leave it open to the Internet,” he advises.
The full details can be found in a report, published this afternoon.