A significant security flaw has been discovered within the Microsoft Events platform, which could have allowed attackers to access the personal information of users from two separate databases: the event registration list and the waitlist.
The vulnerability, uncovered by a 15-year-old bug bounty hunter known as Faav, exposed sensitive user data, including full names, email addresses, phone numbers, and in some cases, physical addresses. The flaw was responsibly disclosed to Microsoft and has since been patched.
The investigation began when the researcher started examining the events.microsoft.com subdomain, which led to the discovery of several API endpoints on the msevents.microsoft.com domain.
Initial tests for vulnerabilities on various endpoints returned no sensitive data. The first breakthrough came when an OData injection flaw was identified in the /api/GetEvents endpoint.
However, this initial entry point proved to be a dead end, as it only returned non-sensitive, public event information and threw errors when attempts were made to access other data tables like accounts or contacts.
A similar injection vulnerability was found in another endpoint /api/GetEventCustomRegistrationFields, which allowed the enumeration of all Microsoft events but still did not leak any user data.
Microsoft Events Vulnerability
The crucial discovery was made within a POST endpoint named /api/CheckEventRegistration. This feature was designed to check if a user’s email was already registered for a specific event.
The researcher found that by injecting malicious payloads into the email and eventId fields, it was possible to trick the system.
A specific OData injection technique revealed that the endpoint was making two separate requests to two different databases. By carefully crafting the input, Faav was able to target each database individually.
One injection allowed the enumeration of the entire Waitlist database, which contained fields such as fullname, telephone1, address1_line1, company, and email addresses, including many from government and corporate domains.
By reversing the injection technique, the researcher was able to access the second database, the Event Registration list.
This database contained personal details like first name, last name, phone number, company name, and country. Some events even included custom fields for Partner IDs and Tenant IDs.
The researcher noted that there were no rate limits in place, meaning an attacker could have scripted the extraction of all data from both databases.
After successfully demonstrating the ability to leak this information, Faav stopped further testing and reported the findings to the Microsoft Security Response Center (MSRC) on July 23, 2025.
According to the timeline provided, Microsoft acknowledged the issue and completed a fix by August 26, 2025.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
