The website that allows learners and young students to sign up for free subscriptions to several of Microsoft’s productivity apps has been dead for a year.
MyBroadband’s attempts to establish why the Mahala.ms portal has remained under maintenance since we disclosed a security vulnerability on the site have been met with the same generic response.
Launched in 2017, Mahala by Microsoft allowed South Africans between 8 and 24 years old to get a free Microsoft 365 licence and 5GB of OneDrive cloud storage.
The licence included access to popular productivity apps like Excel, Word, OneNote, Outlook, and PowerPoint, which formed part of the former Office 365 suite.
The programme aimed to allow learners from grades R to 12 to be more productive and hone their computer skills for their academic careers or future workplace.
Users simply needed to sign up for the programme through Mahala.ms.
But the website was taken down in early September 2021 when MyBroadband informed Microsoft of a vulnerability that exposed the details of its roughly 22,000 users to anyone with an account on the programme.
The flaw was discovered by MyBroadband reader Israel Ndou and shared with this publication to report to Microsoft.
The reader said he reached out because he was concerned that malicious parties could use the information for identity theft or phishing.
Registered Mahala users could see others who signed up for the programme on the Mahala.ms website.
That was because a subscription provided access to Microsoft’s cloud-based identity and access management service, Azure Active Directory (AD).
By running a simple command through Microsoft Powershell using a module that can be connected to Azure AD (pictured below), a user could download the names, email addresses, cellphone numbers, and Mahala.ms email addresses of all other users.
The Mahala.ms website has shown a “Site under maintenance” message since the vulnerability was reported.
MyBroadband asked Microsoft for feedback on why fixing the issue was taking such a long time on four occasions since October 2021, with the latest being in August 2022.
Every time, we got the same response:
“We take privacy seriously and have addressed an issue, that was not in any way related to a security vulnerability, in which names and in some cases, email addresses and phone numbers, could be discovered. The Mahala service is operational for existing users and we are working to resume the service for new subscribers.”
Aside from Microsoft supposedly “working to resume the service” for a year, its insistence that the site’s “under maintenance” status was not “in any way related to a security vulnerability” does not make sense.
This seems to imply that the ability to download the information of other users was a feature, not a bug.
It would also not explain why it was necessary to take down the site in the first place.
Although Microsoft says registered users can still use the apps, those users can’t sign in on a new device.
Several educators and a government employee have asked MyBroadband when the programme would be available again.
One teacher explained the site’s unavailability had made it difficult for her matrics to prepare for their year-end exams.
“I’m very grateful for you and your reader playing the watchdog, keeping organisations such as these accountable. However, we are now really desperate to have the service back,” she stated.
Unfortunately, from Microsoft’s responses, we cannot surmise an estimated time for the site to be back online, if ever.
data leak Headline Mahala by Microsoft Mahala.ms Microsoft Microsoft 365 privacy security vulnerabilities
Comments section policy: MyBroadband has a new article comments policy which aims to encourage constructive discussions. To get your comments published, make sure it is civil and adds value to the discussion.
If you were in the market for a curved monitor, which brand would you choose?