Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data

An Azure Active Directory (AAD) misconfiguration leading to Bing.com compromise earned Wiz researchers a $40,000 bug bounty reward.

BingBang Bing hijack vulnerability

A misconfiguration in Azure Active Directory (AAD) that exposed applications to unauthorized access could have led to a Bing.com takeover, according to cybersecurity firm Wiz.

Microsoft’s AAD, a cloud-based identity and access management (IAM) service, is typically used as the authentication mechanism for Azure App Services and Azure Functions applications.

The service supports different types of account access, including multi-tenant, where any user belonging to any Azure tenant can issue an OAuth token for them, unless proper restrictions are in place.

For multi-tenant applications, developers are responsible for checking a user’s original tenant and enforcing access policies to prevent unauthorized logins, but Wiz discovered that more than 25% of the multi-tenant apps accessible from the internet lack proper validation.

The issue exists because it is not evident to developers that they are responsible for validating user identity, leading to configuration and validation mistakes. What Wiz discovered, however, was that Microsoft’s own applications fell into the same category.

One of these apps was Bing Trivia, a Microsoft application that provided access to a content management system (CMS) linked to Bing.com, and which allowed Wiz researchers to control results on Microsoft’s search engine. Wiz calls the attack ‘BingBang’.

“A malicious actor landing on the Bing Trivia app page could therefore have tampered with any search term and launched misinformation campaigns, as well as phished and impersonated other websites,” Wiz says.

Digging deeper, the researchers discovered that Bing and Office 365 were connected, and that they could add a cross-site scripting (XSS) payload to Bing.com, which allowed them to compromise the Office 365 token of any user. 

Advertisement. Scroll to continue reading.

This provided them with access to a user’s Office 365 data, including emails, Teams messages, calendar entries, and SharePoint and OneDrive files.

“A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leaked the sensitive data of millions of users,” Wiz notes.

Other internal Microsoft applications also impacted by the misconfiguration included Mag News, Centralized Notification Service (CNS) API, Contact Center, PoliCheck, Power Automate Blog, and the file management system COSMOS.

“The issues we identified in this research may affect any organization with Azure Active Directory applications that have been configured as multi-tenant but lack sufficient authorization checks. Based on data from our scans, we assess that exposure is significantly more common across Azure App Service and Azure Functions applications, where validation responsibility is unclear to developers,” Wiz notes.

Administrators are advised to check their application configurations to ensure that multi-tenant access is properly configured, or switch to single-tenant authentication if multi-tenancy is not required. For vulnerable applications, checking logs for past activity is also recommended (AAD logs, however, are insufficient for that).

Microsoft addressed the initial Bing issue on January 31, the same day that Wiz reported it. The tech giant patched the vulnerable applications in late February and issued a $40,000 bug bounty reward this week.

Related: CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services

Related: Most Weaponized Vulnerabilities of 2022 and 5 Key Risks: Report

Related: Despite Warnings, Cloud Misconfiguration Problem Remains Disturbing

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.