Microsoft App Misconfiguration Allows Unauthorized Access and Modifications to Bing Search Results

Wiz Research Discovers Security Issue in Microsoft Application

Cloud security firm Wiz Research has discovered a security issue in a Microsoft application that allowed unauthorized access to Bing.com search results and potential injection of XSS attacks. The attack was named “BingBang” and was reported to Microsoft on January 31, 2023.

According to Wiz researchers, the app misconfiguration occurred when developers mistakenly configured it to allow access to any Microsoft tenant, including public users. As a result, approximately 25% of multi-tenant apps scanned by Wiz were found to be misconfigured, including some apps belonging to Microsoft.

Misconfigured “Bing Trivia” App Allowed CMS Access

During their research, Wiz also found a misconfigured “Bing Trivia” app that allowed anyone to access its CMS and modify live content on Bing search results. This gave the researchers the ability to execute a cross-site scripting (XSS) attack on Bing.com, potentially compromising Office 365 user accounts.

BenSasson Claims Successful Hack into Bing Search Engine and Office 365 Accounts

In an unrelated incident, Hillai BenSasson, a researcher at cloud security firm Wiz, claims to have hacked into a Bing CMS, allowing him to alter search results and take over millions of Office 365 accounts. The vulnerability was found within Microsoft’s cloud computing service Azure, where a configuration meant that “a single checkbox is all that separates an app from becoming ‘multitenant.'”

The security flaw allowed BenSasson to change the top results on Bing searches and even take over users’ Outlook emails, calendars, and MS Teams messages. It is not clear if the vulnerability was exploited by malicious hackers before it was discovered.

Vulnerabilities Exposed in Other Microsoft Applications

The misconfigured Bing Trivia app was not the only Microsoft application affected by misconfiguration in Azure Active Directory (AAD). Wiz researchers also discovered that more than 25% of multi-tenant apps accessible from the internet lack proper validation, and Microsoft’s own applications fell into this category.

Other internal Microsoft applications impacted by the misconfiguration included Mag News, Centralized Notification Service (CNS) API, Contact Center, PoliCheck, Power Automate Blog, and the file management system COSMOS.

Microsoft Fixes Issues and Enhances Security

Microsoft fixed the issue on March 28, 2023, and introduced security enhancements to prevent future misconfigurations and unauthorized access. The company also provided updated guidance on properly securing multi-tenant applications.

Additionally, Wiz Research received a $40,000 bug bounty for responsibly disclosing their findings to Microsoft. BenSasson and his team also received a $40,000 reward for their discovery.

Takeaways and Recommendations

This incident highlights the importance of proper validation and configuration across all applications connected to Azure Active Directory. Vulnerable applications need to be checked, and administrators are advised to ensure that multi-tenant access is properly configured or switch to single-tenant authentication if multi-tenancy is not required.

While Microsoft has addressed the Bing issue and patched the vulnerable applications, it is essential that users remain vigilant about their online security. As cyberattacks continue to evolve in complexity and sophistication, staying informed about potential vulnerabilities is more critical than ever before.

Image Source: Wikimedia Commons