Microsoft Exploit Gives Allowance to Users in manipulating Bing Search Results and Outlook Email Accounts

    An exploitable vulnerability in Microsoft’s Bing search engine was discovered earlier this year. It allowed users to modify search results and gain access to private information of other Bing users, such as Outlook, Teams, and Office 365. Wiz security researchers discovered that Azure, Microsoft’s cloud computing platform, had a configuration error in January. This allowed any Azure user to gain access to applications without authorization.

    The Azure Active Directory (AAD), identity and access management system, was affected by the vulnerability. Any Azure user can access multi-tenant applications that use the platform’s multitutor permissions. Developers must validate who has permission to access their apps. This is a complex responsibility, and misconfigurations are common. Wiz estimates that 25 percent of multi-tenant apps it scans didn’t have proper validation.

    Bing Trivia was one of these apps. Researchers were able log in to the app with their Azure accounts. They discovered a CMS (content management system) that allowed them control the live search results on Wiz points out that anyone landing on the Bing Trivia App page could have manipulated Bing’s search results in order to launch misinformation and phishing campaigns.

    Bing’s Work section was also examined and revealed that the exploit could have been used to gain access to other Office 365 users’ data. This would expose Outlook emails, calendars. Teams messages, SharePoint documents, OneDrive files, and OneDrive files. Wiz demonstrated that the vulnerability could be used to access emails from a simulated victim’s inbox. Similar misconfiguration exploits were found in over 1,000 Microsoft cloud apps and websites, including Mag News and Contact Center, PoliCheck and Power Automate Blog.

    “A potential attacker could influence Bing search results, and compromise Microsoft 365 email and data of millions more people,” Ami Luttwak (Wiz’s chief technological officer), told The Wall Street Journal. It could have been either a nation-state trying influence public opinion, or a financially motivated hacker.

    This exploit was fixed on February 2, just days before Microsoft’s AI-powered Chat feature.

    Microsoft Security Response Center received the report about Bing on January 31st. Luttwak claims that Microsoft resolved the issue on February 2nd. Wiz reported the vulnerability to other applications on February 25th. Microsoft later confirmed that all issues were fixed by Microsoft on March 20th. Microsoft stated that additional changes have been made by the company to lower the chance of future misconfigurations.

    Bing has seen a rise in popularity recently, surpassing the milestone of 100,000,000 daily active users earlier this year after its AI-powered Bing Chat launch on February 7th. Bing’s rapid growth could have made the highly-accessible security exploit more accessible to millions more users if the issue hadn’t been fixed a few days earlier. Similarweb says that Bing is currently the 30th most popular website in the world.

    Last October, a similar misconfigured Microsoft Azure endpoint led to the BlueBleed data leak which exposed 150,000 company data across 123 countries. In the same week as Microsoft is trying to sell its new Microsoft Security Copilot cybersecurity product to businesses, the latest vulnerability in Microsoft’s cloud system is being retroactively revealed.

    Wiz stated that there was no evidence that the vulnerability was exploited prior to its patch. However, Azure Active Directory logs will not necessarily give details about previous activity and Wiz claims the issue could be exploitable for many years. Wiz suggests that all organizations using Azure Active Directory should inspect their application logs for suspicious logins.

    Recent Articles

    Aishah Hasnie Husband Dating Dalton Blaine Everything to Know

    Aishah Hashie is a prominent Pakistani American journalist who has established herself in the media as an impressive figure. She has been recognized...

    Darren Daulton Wife Amanda Dick Read More

    Darren Daulton made an indelible mark on Major League Baseball as a professional baseball catcher for the Philadelphia Phillies, yet off the...

    Love Island Tink Reading Ethnicity Find the Facts

    Tink Reading is the charismatic new addition to Love Island 2023. Her striking beauty and vibrant character have captured the attention of...

    Reeves Callaway Passed Away Get to Know the Details

    Early Life of Reeves Callaway Ely Reeves Callaway II, also known as Reeves Callaway to the rest of the...

    What Happened to Patrick Landers Jr Discover the Updates

    What happened to Patrick Landers Jr.?Allen Kerr, 34, from Hillsboro shot and killed Patrick Landers Jr before turning the gun on himself...

    Related Stories


    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox