A misconfiguration in Azure Active Directory (AAD) that exposed applications to unauthorized access could have led to a Bing.com takeover, according to cybersecurity firm Wiz.
Microsoft’s AAD, a cloud-based identity and access management (IAM) service, is typically used as the authentication mechanism for Azure App Services and Azure Functions applications.
The service supports different types of account access, including multi-tenant, where any user belonging to any Azure tenant can issue an OAuth token for them, unless proper restrictions are in place.
For multi-tenant applications, developers are responsible for checking a user’s original tenant and enforcing access policies to prevent unauthorized logins, but Wiz discovered that more than 25% of the multi-tenant apps accessible from the internet lack proper validation.
The issue exists because it is not evident to developers that they are responsible for validating user identity, leading to configuration and validation mistakes. What Wiz discovered, however, was that Microsoft’s own applications fell into the same category.
One of these apps was Bing Trivia, a Microsoft application that provided access to a content management system (CMS) linked to Bing.com, and which allowed Wiz researchers to control results on Microsoft’s search engine. Wiz calls the attack ‘BingBang’.
“A malicious actor landing on the Bing Trivia app page could therefore have tampered with any search term and launched misinformation campaigns, as well as phished and impersonated other websites,” Wiz says.
Digging deeper, the researchers discovered that Bing and Office 365 were connected, and that they could add a cross-site scripting (XSS) payload to Bing.com, which allowed them to compromise the Office 365 token of any user.
This provided them with access to a user’s Office 365 data, including emails, Teams messages, calendar entries, and SharePoint and OneDrive files.
“A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leaked the sensitive data of millions of users,” Wiz notes.
Other internal Microsoft applications also impacted by the misconfiguration included Mag News, Centralized Notification Service (CNS) API, Contact Center, PoliCheck, Power Automate Blog, and the file management system COSMOS.
“The issues we identified in this research may affect any organization with Azure Active Directory applications that have been configured as multi-tenant but lack sufficient authorization checks. Based on data from our scans, we assess that exposure is significantly more common across Azure App Service and Azure Functions applications, where validation responsibility is unclear to developers,” Wiz notes.
Administrators are advised to check their application configurations to ensure that multi-tenant access is properly configured, or switch to single-tenant authentication if multi-tenancy is not required. For vulnerable applications, checking logs for past activity is also recommended (AAD logs, however, are insufficient for that).
Microsoft addressed the initial Bing issue on January 31, the same day that Wiz reported it. The tech giant patched the vulnerable applications in late February and issued a $40,000 bug bounty reward this week.
Related: CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services
Related: Most Weaponized Vulnerabilities of 2022 and 5 Key Risks: Report
Related: Despite Warnings, Cloud Misconfiguration Problem Remains Disturbing