Microsoft’s Bing search engine had a severe vulnerability that allowed users to change search results and access other Bing users’ Teams, Outlook, and Office 365 data earlier this year. In addition, Intel security researchers found a misconfiguration in Azure, Microsoft’s cloud computing platform, that affected Bing and let Azure users access apps without authorization in January.
AAD’s identification and access management service was vulnerable. The platform’s multi-tenant rights allow any Azure user to access apps. Therefore developers must confirm access. Additionally, 25% of multi-tenant apps Wiz examined were misconfigured due to unclear responsibilities.
Bing Trivia was one. The app’s content management system (CMS) allowed researchers to modify Bing.com’s live search results when they logged in using Azure accounts. Wiz points out that anyone who visited the Bing Trivia app page may have changed Bing’s search results to spread disinformation or phishing.
The vulnerability might potentially access other users’ Office 365 data, including Outlook emails, calendars, Teams communications, SharePoint documents, and OneDrive files, according to Bing’s Work section. Wiz accessed emails from a fake victim’s mailbox using the vulnerability. Mag News, Contact Center, PoliCheck, Power Automate Blog, and Cosmos were among over 1,000 apps and websites on Microsoft’s cloud with identical misconfiguration flaws.
Wiz’s chief technology officer, Ami Luttwak, told The Wall Street Journal that a prospective attacker might have affected Bing search results and exposed millions of customers’ Microsoft 365 emails and data. “It may have been a nation-state aiming to sway public opinion or a financially motivated hacker.”
The bug was fixed on February 2, before Microsoft unveiled Bing’s AI-powered Talk function.
On January 31, Microsoft’s Security Response Center received the Bing vulnerability report. According to Luttwak, Microsoft corrected the issue on February 2. (seen via The Wall Street Journal). On February 25, Wiz reported the additional susceptible programs and stated Microsoft confirmed all disclosed flaws had been resolved on March 20. Microsoft also stated it had made more modifications to prevent repeat misconfigurations.
Bing reached 100 million daily active users earlier this month after launching its AI-powered Bing Talk feature on February 7. Bing, the 30th most visited website in the world, might have spread the deadly, easily accessible security exploit to millions if the flaw hadn’t been corrected a few days before.
Last October, a misconfigured Microsoft Azure endpoint caused the BlueBleed data breach, which affected 150,000 firms in 123 countries. The newest cloud network vulnerability is retrospectively published in the same week Microsoft is trying to promote its new Microsoft Security Copilot cybersecurity solution to enterprises.
Wiz said there is no evidence the vulnerability was exploited before it was fixed. Wiz argues that the flaw might have been exploited for years. However, Azure Active Directory logs may not show past activities. Wiz advises Azure Active Directory users to verify their application logs for fraudulent logins.
