A vulnerability that might compromise the security of millions of Microsoft 365 accounts was found earlier this year. Researchers at Wiz detected a hole in Azure that could be exploited to access Bing’s CMS and harvest sensitive information from Microsoft applications like Teams, Outlook, and the Office suite. The bug was discovered in Azure.
A cloud security researcher at Wiz named Hillai Ben-Sasson explained how the company was able to manipulate Bing search results and “take control millions of Office 365 accounts.”
After logging into Bing Trivia with their own Azure user, the researchers discovered a CMS that was linked to Bing.com. This discovery was made after the researchers discovered that 25% of the multi-tenant apps that were scanned on the internet were vulnerable. One of these apps was a Microsoft-made app called “Bing Trivia.” Wiz cautioned in a study that organizations that had Azure Active Directory (AAD) applications setup as multi-tenant and lacked permission checks were vulnerable to attacks that were the same or very similar to those that had already occurred. Hence, administrators should make sure that multi-tenant access is correctly setup or switch to single-tenant authentication if multi-tenancy is not necessary. If multi-tenancy not required, administrators should convert to single-tenant authentication. It is also advised that you check the logs for susceptible programs for any previous activity.
In addition to this, they demonstrated their ability to affect arbitrary search results on Bing.com by momentarily changing the content of a term that was stored inside the CMS. If someone with nefarious purpose were to access the Bing Trivia app page, they would be able to manipulate search results, disseminate fake information, and impersonate other websites in an effort to coerce users into disclosing their personal information. It is possible for a threat actor to acquire access to documents and emails stored in SharePoint and Outlook. Files stored in OneDrive, calendars in Outlook, and conversations sent via Teams were all at danger of being made public.
The researchers went on to uncover that it was possible for them to compromise the Office 365 token of any Bing user by using a technique called cross-site scripting (XSS). Users are able to search their Office 365 data using the “Work” area of Bing, which is made possible thanks to the integration between Bing and Office 365. The researchers were able to create an XSS payload by using this capability, which allowed them to steal users’ Office 365 access tokens.
If an attacker gets their hands on a stolen token, they will be able to access the Office 365 data of Bing users. This includes the users’ Outlook emails, calendars, Teams chats, SharePoint documents, and OneDrive files. There was a potential for millions of users to be exposed to fraudulent search results and for Office 365 data to be stolen.
The security flaw that was found in Bing.com serves as a timely warning that even a seemingly little oversight on the part of a developer may have significant repercussions, including the potential to bring down one of the most visited websites in the world. The adaptability of the infrastructure provided by the cloud helps to speed up innovation, but it also introduces changes and new threats.
Wiz informed Microsoft about the vulnerability in Bing, and the software giant rectified it almost immediately after receiving the warning. On February 25, 2023, the research company alerted Microsoft to the existence of other programs that included vulnerabilities. On the 20th of March, 2023, Microsoft verified to Wiz that all of the problems that were associated with the issue had been resolved.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.