Microsoft left customers of its finance and operations edition of Dynamics 365 vulnerable to traffic interception by attackers following a digital credentials bungle.
Software developer Matthias Gliwka wanted to look how Microsoft set up server hosting for business-critical Dynamics 365 applications, and found a wildcard transport layer security (TLS) certificate that included the private key.
Disclosing the private key for a TLS certificate allows anyone to decrypt traffic scrambled with the digital credential and impersonate the server, exposing customer communications without being detected.
Making the matter worse, Microsoft had created a wildcard certificate covering the *.sandbox.operations.dynamics.com domains.
Gliwka noted that anyone extracting the certificate would have access to all Dynamics 365 sandbox (isolated from each other) environments.
He labelled the discovery of the TLS certificate as "shocking".
The software developer was able to export the private key for the TLS certificate with a small C++ program.
He reported the vulnerability to Microsoft's security response centre (MSRC) in the middle of August this year.
Even though Gliwka provided detailed description of the vulnerability, including an encrypted copy of the extracted private key, Microsoft did not think the issue met "the bar for security servicing", because it believed an attacker would require admin credentials.
Gliwka persisted with reporting the flaw to the MSRC and Microsoft's public key infrastructure (PKI) operations until October, when he asked about the case on Twitter and received a response that the issue would be fixed as soon as possible.
Nevertheless, Microsoft did not revoke the leaked Dynamics 365 certificate until German media became involved in November, and the journalist in question opened a ticket on Mozilla's bug tracker system.
The company eventually fixed the vulnerability last week.
By that time, more than 100 days had passed since Gliwka originally reported the issue.