Azure Vulnerable To Hackers, Bing Search Results Can Be Manipulated

JAKARTA - Security researchers managed to find vulnerabilities that endangered millions of Microsoft 365 accounts, stemming from weaknesses in Azure Active Directory (AAD) that could be exploited to change Bing search results and access user data.

A cloud security researcher at Wiz, Hillai Ben-Sasson explained how they can change the search results of Bing and take over millions of Office 365 accounts. This vulnerability is nicknamed BingBang.

I hacked into a @Bing CMS that allowed me to alter search results and take over millions of @Office365 accounts.How did I do it? Well, it all started with a simple click in @Azure… 👀This is the story of #BingBang 🧵⬇️ pic.twitter.com/9pydWvHhJs

— Hillai Ben-Sasson (@hillai) March 29, 2023

Wiz himself described himself as the world's largest cybersecurity unicorn also explained his findings in blog posts.

Meanwhile, Ben-Sasson revealed how he found vulnerabilities in AAD through a scan of about 25 percent of multi-wading apps vulnerable to it.

This type of app allows every Azure tenant to issue an OAuth token for them and app developers need to check this to allow or refuse access.

If the developer fails to apply the right access validation, every Azure user can enter the application.

There are several other major Microsoft applications, one of which is the content management system (CMS) for Bing, which allows users to change the Bing search results.

Then, Wiz explained how to use CMS to replace one of the suggestions for the Bing award winner soundtrack with his own advice.

In addition to manipulating search results, Wiz can also launch XSS attacks with a high impact on Bing users.

If such an attack is successful, threat actors can gain access to Outlook emails, SharePoint documents. OneDrive files, Outlook calendars, and Teams messages are also at risk of being exposed.

Another vulnerable Microsoft app that Wiz found including MSN Bulletin can be used to email all recipients, API CNS, an internal notification service to send notifications to Microsoft Developers.

Additionally, a similar API for Call Center agents, access to file management systems with more than 4 Microsoft internal file exabytes, or full access to Microsoft WordPress blogs, as quoted from Windows Central, Friday, March 31.

Wiz recommends that administrators run queries to find out if any applications are configured to allow multiple-way access. Admins can also perform commands from Azure CLI. Details are found on Wiz's website about this.

For information, security researchers at Wiz discovered vulnerabilities in January on Microsoft's cloud computing platform. And, the good news is that Microsoft is patching all vulnerabilities, and has promised to improve customer guides and change some AAD functionality.