Wiz, a cybersecurity firm discovered a major security flaw affecting Microsoft’s Bing search engine earlier this year. The bug not only allowed users to make changes to search results but also grant them access to personal credentials and information from Microsoft Teams, Outlook, and even Office 365.
Upon further analysis, Wiz researchers narrowed down the high-risk vulnerability to Microsoft’s Azure Active Directory, which is used as the authentication mechanism for Azure App Services and Azure Functions apps. However, it was found to be flawed thus allowing unauthorized users to access these apps.
I hacked into a @Bing CMS that allowed me to alter search results and take over millions of @Office365 accounts.
How did I do it? Well, it all started with a simple click in @Azure… 👀
This is the story of #BingBang 🧵⬇️ pic.twitter.com/9pydWvHhJs
— Hillai Ben-Sasson (@hillai) March 29, 2023
Microsoft’s Azure Active Directory ships with support for various types of account access, which includes apps using the service’s multi-tenant permissions. Any user that’s part of any Azure tenant can access the apps. However, with elaborate measures in place, this can be prevented.
Wiz has further highlighted that 25% of the multi-tenant apps lacked proper validation. It’s the developer’s responsibility to ensure that they are checking for the user’s original tenant and that there are policies in place to prevent unauthorized users from gaining access to their apps.
And Microsoft’s case is quite similar according to Wiz’s findings, with its Bing Trivia app falling victim. The researchers were able to tap into the app using their own Azure accounts which then grant them access to a content management system (CMS) that was linked to Bing.com. From this point, they were able to manipulate search results.
Wiz states that from this point, it would have been very easy for the researchers that had access to launch phishing attacks (BingBang) on unsuspecting users. “A malicious actor landing on the Bing Trivia app page could therefore have tampered with any search term and launched misinformation campaigns, as well as phished and impersonated other websites,” indicated Wiz.
While looking further into the matter, Wiz came to the discovery that Bing and Office 365 were linked. This allowed the researchers to access the users’ Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. Multiple apps and websites belonging to Microsoft were also found to be susceptible to the same misconfiguration exploits, they included: Centralized Notification Service (CNS) API, Contact Center, PoliCheck, Power Automate Blog, and Cosmos.
In an interview with The Wall Street Journal, Ami Luttwak, the chief technology officer at Wiz stated that “A potential attacker could have influenced Bing search results and compromised Microsoft 365 emails and data of millions of people. It could have been a nation-state trying to influence public opinion or a financially motivated hacker.”
According to Wiz:
The issues we identified in this research may affect any organization with Azure Active Directory applications that have been configured as multi-tenant but lack sufficient authorization checks. Based on data from our scans, we assess that exposure is significantly more common across Azure App Service and Azure Functions applications, where validation responsibility is unclear to developers.
The cybersecurity firm details that attackers hadn’t leveraged the vulnerability to deploy their phishing attacks to unsuspecting users. Wiz reported the issue to Microsoft’s Security Response Center on January 31. Microsoft quickly acknowledged it and issued a fix on Feb 2, a few days before The new Bing’s debut. The vulnerability affecting the rest of Microsoft’s application listed above was also patched towards the end of February.
The new entry has played a significant role in helping Bing hit and cross the 100 million daily active users mark. Had the issue not been patched in time for the launch or not discovered at all, the potential risk and threat in place would have been unimaginable. Microsoft has indicated that it is invested in putting elaborate measures to ensure that the user’s security and privacy is maintained.
It’s important for admins to ensure that multi-tenant access is properly configured. Wiz has since received a $40,000 bug bounty reward from Microsoft that they said they’d donate.
via: The Verge