Microsoft’s free Office apps programme for children and students in South Africa has been offline for more than seven months.
Between 2017 and 2021, the software giant offered its most popular applications for free to users between 8 and 24 years old as part of the Mahala by Microsoft programme.
This provided a free Microsoft 365 licence that included Word, Excel, PowerPoint, OneNote, and Outlook.
The programme aimed to let learners from grades R to 12 become more productive and be better prepared for their post-school academic careers or the workplace environment.
Unfortunately, the site used to register for the offer and access account details — Mahala.ms — has been inaccessible since early September, only presenting visitors with a notification that it is “under maintenance”.
Microsoft took down the site after MyBroadband disclosed a vulnerability to the company, first discovered by concerned reader Israel Ndou.
Ndou had noticed it was possible to download a copy of the personal information of the 22,000 accounts registered for the offer by running a simple Powershell command that could be connected to the sire’s Azure Active Directory.
The information included user names, email addresses, and phone numbers.
The screenshot below shows the command with some redactions to protect personal information.
Instructions for these types of Powershell commands for Azure AD were readily available on the Internet.
Out of concern that malicious actors could use this information in phishing attacks, Ndou approached MyBroadband to help arrange coordinated disclosure with Microsoft.
Several users with registered Mahala.ms accounts confirmed the information that could be downloaded was legitimate, and the issue was then reported to Microsoft.
Microsoft has repeatedly refused to acknowledge that the issue amounted to a security vulnerability, stating it took privacy seriously and was working to resolve it.
MyBroadband again asked Microsoft for an update on Mahala.ms, but we did not receive feedback by the time of publication.
The unavailability of the Mahala.ms portal means the programme has not been able to accept new registrations for more than seven months, while existing users who have logged out of their accounts or switched to new devices cannot use the service.
Among those most affected are high school students — especially matrics.
One desperate teacher emailed MyBroadband before the matric final Computer Applications Technology practical exam last year, explaining that many students had no way to practice at home since Mahala went offline.
“We are now really desperate to have the service back,” the teacher said.