Mahala by Microsoft, the site that provides pupils and students in South Africa with free Microsoft apps, exposed the personal details of more than 22,000 users.
Since launching in 2017, South Africans between the ages of 8 and 24 have been able to get a free Microsoft 365 licence and 5GB OneDrive storage worth R1,800 when they sign up to Mahala.ms.
The programme is a partnership between Microsoft South Africa, Penguin Lava Lamp Lab, and NBConsult. It aims to enable learners from grades R to 12 to become more productive and better prepared for the next phase of their academic careers or the workplace.
The suite includes well-known productivity apps like Word, PowerPoint, OneNote, Outlook, and Excel.
Users who wish to sign up for the programme must visit the Mahala.ms portal and provide details, including their name, email address, and phone number.
Doing so, however, would expose these details to any other users who sign up for the programme.
This flaw was discovered by MyBroadband reader Israel Ndou, who contacted us as he was concerned that malicious actors could sell the information or use it to carry out phishing attacks.
“Many of the registered people may not be aware that their details are public and can be easily accessed by others outside of the company,” Ndou warned.
“If bad actors were to retrieve this information, they would be able to phish the users and possibly harvest additional information to gain access to their OneDrive, and many other online accounts or apps.”
Ndou explained the issue was that registered Mahala users could see other users who signed up for the programme on the Mahala.ms portal because the Microsoft subscription provided access to Azure Active Directory (AD), Microsoft’s cloud-based identity and access management service.
The Azure AD section of the Mahala.ms portal shows a database of registered Mahala users, but this only includes their names. Downloading their details is also restricted.
However, by running a simple command through Microsoft Powershell using a module that can be connected to Azure AD (pictured above), you can download the user names, email addresses, mobile phone numbers, and Mahala.ms email addresses.
Ndou provided the command that could be used to download a CSV file to allow MyBroadband to report the issue to Microsoft.
Instructions for these types of Powershell commands for Azure AD were readily available on the Internet.
A MyBroadband employee who previously signed up for the programme as a student confirmed that he was able to log into Azure AD with his Mahala.ms credentials.
After verifying that he had permissions to access the data in the way Ndou described, MyBroadband reported the issue to Microsoft.
Shortly thereafter, the Mahala.ms user in our office could not view the list of names of users using Azure AD anymore.
A Microsoft spokesperson said the issue was being investigated.
“We take privacy seriously and are working to resolve this issue,” they said.
“What we can confirm is that this does not involve a security vulnerability and any potential data involved is limited to names, and in some cases, email addresses and phone numbers.”
At the time of publication, the Mahala.ms site was “under maintenance”.