Earlier this year, a dangerous vulnerability was discovered in Microsoft’s Bing search engine that allowed users to modify search results and access personal information of other Bing users from Teams, Outlook, Office 365 and more. rice field. Discover misconfigurations in Azure — Microsoft’s cloud computing platform — compromised Bing, allowing Azure users to access applications without authorization.
This vulnerability was found in the Azure Active Directory (AAD) Identity and Access Management Service. Applications that use platform multi-tenant permissions are accessible to all Azure users, so developers must validate which users have access to the app. This responsibility isn’t always clear, so misconfigurations are common — Wiz claims that his 25% of all multi-tenant apps scanned lacked proper validation.
One of those apps was Bing Trivia. Researchers have discovered a content management system (CMS) that allows users to log into the app using their Azure account and control live search results on Bing.com. Wiz stresses that anyone who landed on the Bing Trivia app page could have manipulated Bing’s search results to launch misinformation and phishing campaigns.
Bing’s[仕事]Research in the section also revealed that the exploit could be used to access other users’ Office 365 data, exposing Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. Wiz has successfully demonstrated that this vulnerability was used to read emails from the inboxes of simulated victims. Similar misconfiguration exploits were found in his over 1,000 apps and his website on Microsoft’s cloud, including Mag News, Contact Center, PoliCheck, Power Automate Blog, and Cosmos.
“Potential attackers could have impacted Bing search results and compromised Microsoft 365 email and data for millions of people,” said Ami Luttwak, chief technology officer at Wiz. said to wall street journal“It could have been a nation-state trying to influence public opinion or a hacker for money.”
The exploit was patched on February 2nd, just days before Microsoft launched Bing’s AI-powered chat feature.
The Bing vulnerability was reported to Microsoft’s Security Response Center on January 31st. Luttwak (seen via wall street journal). Wiz then flagged other vulnerable applications on February 25 and said Microsoft confirmed all reported issues were fixed on his March 20.Microsoft also said the company made Additional changes Reduces the risk of future misconfigurations.
Bing has seen a surge in popularity recently, surpassing the 100 million active users milestone earlier this month after launching its AI-powered Bing Chat feature on February 7. If this issue hadn’t been patched a few days ago, Bing’s explosive growth could have spread a dangerous and highly accessible security exploit widely to millions of users. similar webBing is the 30th most visited website in the world.
Last October, due to a similarly misconfigured Microsoft Azure endpoint, BlueBleed data breach Data was published for 150,000 companies in 123 countries. The latest vulnerability in Microsoft’s cloud network also went public as early as the same week the company was about to sell its new Microsoft Security Copilot cybersecurity solution to businesses.
Wiz said there was no evidence the vulnerability was exploited before the patch was applied. That said, Azure Active Directory logs don’t always provide details about previous activity. can It has been abused for years. Wiz recommends that organizations using Azure Active Directory applications check their application logs for suspicious logins that indicate a security breach.