Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Cloud Security

Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data

An Azure Active Directory (AAD) misconfiguration leading to compromise earned Wiz researchers a $40,000 bug bounty reward.

BingBang Bing hijack vulnerability

A misconfiguration in Azure Active Directory (AAD) that exposed applications to unauthorized access could have led to a takeover, according to cybersecurity firm Wiz.

Microsoft’s AAD, a cloud-based identity and access management (IAM) service, is typically used as the authentication mechanism for Azure App Services and Azure Functions applications.

The service supports different types of account access, including multi-tenant, where any user belonging to any Azure tenant can issue an OAuth token for them, unless proper restrictions are in place.

For multi-tenant applications, developers are responsible for checking a user’s original tenant and enforcing access policies to prevent unauthorized logins, but Wiz discovered that more than 25% of the multi-tenant apps accessible from the internet lack proper validation.

The issue exists because it is not evident to developers that they are responsible for validating user identity, leading to configuration and validation mistakes. What Wiz discovered, however, was that Microsoft’s own applications fell into the same category.

One of these apps was Bing Trivia, a Microsoft application that provided access to a content management system (CMS) linked to, and which allowed Wiz researchers to control results on Microsoft’s search engine. Wiz calls the attack ‘BingBang’.

“A malicious actor landing on the Bing Trivia app page could therefore have tampered with any search term and launched misinformation campaigns, as well as phished and impersonated other websites,” Wiz says.

Advertisement. Scroll to continue reading.

Digging deeper, the researchers discovered that Bing and Office 365 were connected, and that they could add a cross-site scripting (XSS) payload to, which allowed them to compromise the Office 365 token of any user. 

This provided them with access to a user’s Office 365 data, including emails, Teams messages, calendar entries, and SharePoint and OneDrive files.

“A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leaked the sensitive data of millions of users,” Wiz notes.

Other internal Microsoft applications also impacted by the misconfiguration included Mag News, Centralized Notification Service (CNS) API, Contact Center, PoliCheck, Power Automate Blog, and the file management system COSMOS.

“The issues we identified in this research may affect any organization with Azure Active Directory applications that have been configured as multi-tenant but lack sufficient authorization checks. Based on data from our scans, we assess that exposure is significantly more common across Azure App Service and Azure Functions applications, where validation responsibility is unclear to developers,” Wiz notes.

Administrators are advised to check their application configurations to ensure that multi-tenant access is properly configured, or switch to single-tenant authentication if multi-tenancy is not required. For vulnerable applications, checking logs for past activity is also recommended (AAD logs, however, are insufficient for that).

Microsoft addressed the initial Bing issue on January 31, the same day that Wiz reported it. The tech giant patched the vulnerable applications in late February and issued a $40,000 bug bounty reward this week.

Related: CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services

Related: Most Weaponized Vulnerabilities of 2022 and 5 Key Risks: Report

Related: Despite Warnings, Cloud Misconfiguration Problem Remains Disturbing

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...