"Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data"
According to cybersecurity researchers at Wiz, a misconfiguration in Azure Active Directory (AAD) that exposed applications to unauthorized access could have led to a Bing[.]com takeover. Microsoft's AAD, a cloud-based identity and access management (IAM) service, is typically used as the authentication mechanism for Azure App Services and Azure Functions applications. The service supports different types of account access, including multi-tenant, where any user belonging to any Azure tenant can issue an OAuth token for them unless proper restrictions are in place. For multi-tenant applications, developers are responsible for checking a user's original tenant and enforcing access policies to prevent unauthorized logins, but the researchers discovered that more than 25% of the multi-tenant apps accessible from the internet lack proper validation. The researchers noted that the issue exists because it is not evident to developers that they are responsible for validating user identity, leading to configuration and validation mistakes. The researchers stated that Microsoft's own applications fell into the same category. One of these apps was Bing Trivia, a Microsoft application that provided access to a content management system (CMS) linked to Bing[.]com and which allowed the researchers to control results on Microsoft's search engine. The researchers call the attack "BingBang." The researchers noted that a malicious actor landing on the Bing Trivia app page could have tampered with any search term and launched misinformation campaigns, as well as phished and impersonated other websites. While digging deeper, the researchers discovered that Bing and Office 365 were connected and that they could add a cross-site scripting (XSS) payload to Bing[.]com, which allowed them to compromise the Office 365 token of any user. This provided them with access to a user's Office 365 data, including emails, Teams messages, calendar entries, and SharePoint and OneDrive files. The researchers stated that a malicious actor with the same access could've hijacked the most popular search results with the same payload and leaked the sensitive data of millions of users. Other internal Microsoft applications also impacted by the misconfiguration included Mag News, Centralized Notification Service (CNS) API, Contact Center, PoliCheck, Power Automate Blog, and the file management system COSMOS. Microsoft addressed the initial Bing issue on January 31, the same day that the researchers reported it. The tech giant patched the vulnerable applications in late February and issued a $40,000 bug bounty reward this week.