Microsoft has patched a misconfiguration issue impacting the Azure Active Directory (AAD) identity and access management service that exposed several “high-impact” applications to unauthorized access.
“One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users,” cloud security firm Wiz said in a report. “Those attacks could compromise users’ personal data, including Outlook emails and SharePoint documents.”
The issues were reported to Microsoft in January and February 2022, following which the tech giant applied fixes and awarded Wiz a $40,000 bug bounty. Redmond said it found no evidence that the misconfigurations were exploited in the wild.
The crux of the vulnerability stems from what’s called “Shared Responsibility confusion,” wherein an Azure app can be incorrectly configured to allow users from any Microsoft tenant, leading to a potential case of unintended access.
Interestingly, a number of Microsoft’s own internal apps were found to exhibit this behavior, thereby permitting external parties to obtain read and write to the affected applications.
This includes the Bing Trivia app, which the cybersecurity firm exploited to alter search results in Bing and even manipulate content on the homepage as part of an attack chain dubbed BingBang.
To make matters worse, the exploit could be weaponized to trigger a cross-site scripting (XSS) attack on Bing.com and extract a victim’s Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files.
“A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leak sensitive data from millions of users,” Wiz researcher Hillai Ben-Sasson noted.
Other apps that were found susceptible to the misconfiguration issue include Mag News, Central Notification Service (CNS), Contact Center, PoliCheck, Power Automate Blog, and COSMOS.
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet’s IR Leader!Don’t Miss Out – Save Your Seat!