Published: Mar 31, 2023
Security researchers have discovered a new vulnerability in Microsoft Azure Active Directory (Azure AD). The security flaw allowed users to modify Bing search results and access users’ private data, including Outlook emails, calendars, and Microsoft Teams messages.
Dubbed BingBang, the misconfiguration in Azure Active Directory (Azure AD) was first discovered by Wiz researchers back in January. It was caused due to an authorization misconfiguration in Microsoft’s multi-tenant apps in Azure AD. These applications allow logins from potentially any Azure user, and it’s the developers’ responsibility to perform additional authorization checks.
Wiz researchers have found that approximately 25 percent of multi-tenant applications they scanned lacked proper validation. Specifically, the researchers created a new account and signed in to the Bing Trivia application. They accessed the Content Management System (CMS) and manipulated the Bing search results.
Security researchers have also discovered that the flaw could be exploited to initiate cross-site scripting (XSS) attacks. Moreover, Bing’s Work section allows users to search Office 365 data of other employees. These include emails, calendars, Teams messages, OneDrive files, and SharePoint documents.
“A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leak sensitive data from millions of users. According to SimilarWeb, Bing is the 27th most visited website in the world, with over a billion pageviews per month – in other words, millions of users could’ve been exposed to malicious search results and Office 365 data theft,” Wiz researchers explained.
According to Wiz researchers, the vulnerability is present in more than 1,000 cloud-based applications and websites. These include Mag News, Power Automate Blog, Contact Center, the PoliCheck tool, and the Cosmos file management system.
The security researchers reported the Bing flaw to Microsoft’s Security Response Center on January 31, 2023. Microsoft has already released updates to patch the vulnerability in all affected applications. Fortunately, there is no evidence that the flaw has been exploited by attackers in the wild.
Nevertheless, Microsoft has made some changes to prevent future misconfigurations in Azure Active Directory applications. The Wiz team advises IT admins to check app logs to track any suspicious activities and potential security breaches.