Microsoft’s Bing search engine was recently found to have a dangerous security vulnerability that could have allowed users to alter search results and access private information from other Bing users’ Teams, Outlook, and Office 365 accounts. The security flaw was detected in the Azure Active Directory (AAD) identity and access management service, which allows applications using the platform’s multi-tenant permissions to be accessible by any Azure user. The vulnerability was discovered by security researchers at Wiz, who found that the misconfiguration in Azure compromised Bing and exposed over 1,000 apps and websites on Microsoft’s cloud to similar misconfiguration exploits.
I hacked into a @Bing CMS that allowed me to alter search results and take over millions of @Office365 accounts.
— Hillai Ben-Sasson (@hillai) March 29, 2023
How did I do it? Well, it all started with a simple click in @Azure… đź‘€
This is the story of #BingBang 🧵⬇️ pic.twitter.com/9pydWvHhJs
One of the vulnerable apps was Bing Trivia, which allowed the researchers to log in and access a content management system (CMS) that enabled them to control live search results on Bing.com. Wiz claims that anyone who landed on the Bing Trivia app page could have potentially manipulated Bing’s search results to launch misinformation or phishing campaigns. The researchers also found that the exploit could be used to access other users’ Office 365 data, including Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. Wiz successfully used the vulnerability to read emails from a simulated victim’s inbox.
The vulnerability was patched on February 2nd, just days before Microsoft launched Bing’s AI-powered Chat feature. Microsoft confirmed that all reported issues had been fixed on March 20th and said that it had made additional changes to reduce the risk of future misconfigurations.
Had the issue not been patched a few days prior, Bing’s explosive growth could have pushed the dangerous, highly accessible security exploit more widely to millions of users. According to Similarweb, Bing is the 30th most visited website in the world.
The security vulnerability in Bing is not an isolated incident. In October last year, a similarly misconfigured Microsoft Azure endpoint resulted in the BlueBleed data breach that exposed the data of 150,000 companies across 123 countries. The latest vulnerability in Microsoft’s cloud network is also being retroactively disclosed in the same week that the company is attempting to sell its new Microsoft Security Copilot cybersecurity solution to businesses.
Wiz recommends that organizations with Azure Active Directory applications check their application logs for any suspicious logins that would indicate a security breach. While there is no evidence that the vulnerability had been exploited before it was patched, Wiz claims that the issue could have been exploitable for years.
In conclusion, the Microsoft Bing search engine security vulnerability is a reminder that cloud-based identity providers can be complex and facilitate misconfigurations that can be leveraged by threat actors to compromise organizations’ production environments. It also highlights the importance of regularly checking application logs for any suspicious logins to prevent security breaches.
0 Comments