Categories: Tech

Microsoft App Misconfiguration Allows Unauthorized Access and Modifications to Bing Search Results

Wiz Research Discovers Security Issue in Microsoft Application

Cloud security firm Wiz Research has discovered a security issue in a Microsoft application that allowed unauthorized access to Bing.com search results and potential injection of XSS attacks. The attack was named “BingBang” and was reported to Microsoft on January 31, 2023.

According to Wiz researchers, the app misconfiguration occurred when developers mistakenly configured it to allow access to any Microsoft tenant, including public users. As a result, approximately 25% of multi-tenant apps scanned by Wiz were found to be misconfigured, including some apps belonging to Microsoft.

Misconfigured “Bing Trivia” App Allowed CMS Access

During their research, Wiz also found a misconfigured “Bing Trivia” app that allowed anyone to access its CMS and modify live content on Bing search results. This gave the researchers the ability to execute a cross-site scripting (XSS) attack on Bing.com, potentially compromising Office 365 user accounts.

BenSasson Claims Successful Hack into Bing Search Engine and Office 365 Accounts

In an unrelated incident, Hillai BenSasson, a researcher at cloud security firm Wiz, claims to have hacked into a Bing CMS, allowing him to alter search results and take over millions of Office 365 accounts. The vulnerability was found within Microsoft’s cloud computing service Azure, where a configuration meant that “a single checkbox is all that separates an app from becoming ‘multitenant.'”

The security flaw allowed BenSasson to change the top results on Bing searches and even take over users’ Outlook emails, calendars, and MS Teams messages. It is not clear if the vulnerability was exploited by malicious hackers before it was discovered.

Vulnerabilities Exposed in Other Microsoft Applications

The misconfigured Bing Trivia app was not the only Microsoft application affected by misconfiguration in Azure Active Directory (AAD). Wiz researchers also discovered that more than 25% of multi-tenant apps accessible from the internet lack proper validation, and Microsoft’s own applications fell into this category.

Other internal Microsoft applications impacted by the misconfiguration included Mag News, Centralized Notification Service (CNS) API, Contact Center, PoliCheck, Power Automate Blog, and the file management system COSMOS.

Microsoft Fixes Issues and Enhances Security

Microsoft fixed the issue on March 28, 2023, and introduced security enhancements to prevent future misconfigurations and unauthorized access. The company also provided updated guidance on properly securing multi-tenant applications.

Additionally, Wiz Research received a $40,000 bug bounty for responsibly disclosing their findings to Microsoft. BenSasson and his team also received a $40,000 reward for their discovery.

Takeaways and Recommendations

This incident highlights the importance of proper validation and configuration across all applications connected to Azure Active Directory. Vulnerable applications need to be checked, and administrators are advised to ensure that multi-tenant access is properly configured or switch to single-tenant authentication if multi-tenancy is not required.

While Microsoft has addressed the Bing issue and patched the vulnerable applications, it is essential that users remain vigilant about their online security. As cyberattacks continue to evolve in complexity and sophistication, staying informed about potential vulnerabilities is more critical than ever before.

Image Source: Wikimedia Commons

Kari Mckenzie

Kari McKenzie is a versatile journalist with expertise in writing news articles on diverse subjects. With a strong dedication towards delivering accurate and impartial news to readers, Kari has been working in the field of journalism for several years. Whether it's breaking news, investigative reporting or feature articles, Kari has a flair for engaging readers with her writing.

Recent Posts

Thousands to Participate in Belfast City Marathon Despite Road Closures

Belfast City Marathon 2023 Road Closures ConfirmedBelfast City Marathon organizers have confirmed the details of…

2 years ago

Fowler Native Adysen Koenigsknecht Overcomes Battle with Celiac Disease to Run Boston Marathon

Adysen Koenigsknecht's Remarkable Journey to the Boston MarathonAdysen Koenigsknecht has come a long way since…

2 years ago

ESPN Anchor John Anderson to Lead Boston Marathon Broadcast

Anderson's Passion for Track and Field Leads to Boston Marathon RoleESPN's SportsCenter anchor John Anderson…

2 years ago

Seth Rollins appeals to fans for help in funding friend’s lung transplant surgery

Seth Rollins, WWE superstar and former Universal Champion, has appealed to his fans for support…

2 years ago

2023 Boston Marathon to Showcase Elite Runners and Star-Studded Celebrities

The 2023 Boston Marathon is gearing up to be a historic event, as it will…

2 years ago

Community of Golden Retrievers Honors Spencer and Penny, the Beloved Boston Marathon Dogs

A Heartwarming Tribute to Spencer and PennyA group of golden retrievers participated in a touching…

2 years ago