Share this article

Latest news

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Researcher breaks in to Bing, Office 365 via AAD misconfiguration, now fixed

4 min. read

Published onMarch 30, 2023

published onMarch 30, 2023

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Wiz, a cybersecurity firm discovered a majorsecurity flaw affecting Microsoft’s Bing search engineearlier this year. The bug not only allowed users to make changes to search results but also grant them access to personal credentials and information from Microsoft Teams, Outlook, and even Office 365.

Upon further analysis, Wiz researchers narrowed down the high-risk vulnerability to Microsoft’s Azure Active Directory, which is used as the authentication mechanism for Azure App Services and Azure Functions apps. However, it was found to be flawed thus allowing unauthorized users to access these apps.

I hacked into a@BingCMS that allowed me to alter search results and take over millions of@Office365accounts.How did I do it? Well, it all started with a simple click in@Azure… ????This is the story of#BingBang????⬇️pic.twitter.com/9pydWvHhJs

— Hillai Ben-Sasson (@hillai)March 29, 2023

Microsoft’s Azure Active Directory ships with support for various types of account access, which includes apps using the service’s multi-tenant permissions. Any user that’s part of any Azure tenant can access the apps. However, with elaborate measures in place, this can be prevented.

Wiz has further highlighted that 25% of the multi-tenant apps lacked proper validation. It’s the developer’s responsibility to ensure that they are checking for the user’s original tenant and that there are policies in place to prevent unauthorized users from gaining access to their apps.

And Microsoft’s case is quite similar according to Wiz’s findings, with its Bing Trivia app falling victim. The researchers were able to tap into the app using their own Azure accounts which then grant them access to a content management system (CMS) that was linked to Bing.com. From this point, they were able to manipulate search results.

Wiz states that from this point, it would have been very easy for the researchers that had access to launch phishing attacks (BingBang) on unsuspecting users. “A malicious actor landing on the Bing Trivia app page could therefore have tampered with any search term and launched misinformation campaigns, as well as phished and impersonated other websites,” indicated Wiz.

While looking further into the matter, Wiz came to the discovery that Bing and Office 365 were linked. This allowed the researchers to access the users’ Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. Multiple apps and websites belonging to Microsoft were also found to be susceptible to the same misconfiguration exploits, they included: Centralized Notification Service (CNS) API, Contact Center, PoliCheck, Power Automate Blog, and Cosmos.

In an interview withThe Wall Street Journal, Ami Luttwak, the chief technology officer at Wiz stated that “A potential attacker could have influenced Bing search results and compromised Microsoft 365 emails and data of millions of people. It could have been a nation-state trying to influence public opinion or a financially motivated hacker.”

According to Wiz:

The issues we identified in this research may affect any organization with Azure Active Directory applications that have been configured as multi-tenant but lack sufficient authorization checks. Based on data from our scans, we assess that exposure is significantly more common across Azure App Service and Azure Functions applications, where validation responsibility is unclear to developers.

The cybersecurity firm details that attackers hadn’t leveraged the vulnerability to deploy their phishing attacks to unsuspecting users. Wiz reported the issue to Microsoft’s Security Response Center on January 31. Microsoft quickly acknowledged it and issued a fix on Feb 2, a few days beforeThe new Bing’s debut. The vulnerability affecting the rest of Microsoft’s application listed above was also patched towards the end of February.

The new entry has played a significant role in helping Bing hit and cross the100 million daily active usersmark. Had the issue not been patched in time for the launch or not discovered at all, the potential risk and threat in place would have been unimaginable. Microsoft has indicated that it is invested in putting elaborate measures to ensure that the user’s security and privacy is maintained.

It’s important for admins to ensure that multi-tenant access is properly configured. Wiz has sincereceived a $40,000 bug bounty reward from Microsoftthat they said they’d donate.

via:The Verge

Radu Tyrsina

Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time).

For most of the kids of his age, the Internet was an amazing way to play and communicate with others, but he was deeply impressed by the flow of information and how easily you can find anything on the web.

Prior to founding Windows Report, this particular curiosity about digital content enabled him to grow a number of sites that helped hundreds of millions reach faster the answer they’re looking for.

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

Radu Tyrsina