An exploitable vulnerability in Microsoft’s Bing search engine was discovered earlier this year. It allowed users to modify search results and gain access to private information of other Bing users, such as Outlook, Teams, and Office 365. Wiz security researchers discovered that Azure, Microsoft’s cloud computing platform, had a configuration error in January. This allowed any Azure user to gain access to applications without authorization.
The Azure Active Directory (AAD), identity and access management system, was affected by the vulnerability. Any Azure user can access multi-tenant applications that use the platform’s multitutor permissions. Developers must validate who has permission to access their apps. This is a complex responsibility, and misconfigurations are common. Wiz estimates that 25 percent of multi-tenant apps it scans didn’t have proper validation.
Bing Trivia was one of these apps. Researchers were able log in to the app with their Azure accounts. They discovered a CMS (content management system) that allowed them control the live search results on Bing.com. Wiz points out that anyone landing on the Bing Trivia App page could have manipulated Bing’s search results in order to launch misinformation and phishing campaigns.
Bing’s Work section was also examined and revealed that the exploit could have been used to gain access to other Office 365 users’ data. This would expose Outlook emails, calendars. Teams messages, SharePoint documents, OneDrive files, and OneDrive files. Wiz demonstrated that the vulnerability could be used to access emails from a simulated victim’s inbox. Similar misconfiguration exploits were found in over 1,000 Microsoft cloud apps and websites, including Mag News and Contact Center, PoliCheck and Power Automate Blog.
“A potential attacker could influence Bing search results, and compromise Microsoft 365 email and data of millions more people,” Ami Luttwak (Wiz’s chief technological officer), told The Wall Street Journal. It could have been either a nation-state trying influence public opinion, or a financially motivated hacker.
This exploit was fixed on February 2, just days before Microsoft’s AI-powered Chat feature.
Microsoft Security Response Center received the report about Bing on January 31st. Luttwak claims that Microsoft resolved the issue on February 2nd. Wiz reported the vulnerability to other applications on February 25th. Microsoft later confirmed that all issues were fixed by Microsoft on March 20th. Microsoft stated that additional changes have been made by the company to lower the chance of future misconfigurations.
Bing has seen a rise in popularity recently, surpassing the milestone of 100,000,000 daily active users earlier this year after its AI-powered Bing Chat launch on February 7th. Bing’s rapid growth could have made the highly-accessible security exploit more accessible to millions more users if the issue hadn’t been fixed a few days earlier. Similarweb says that Bing is currently the 30th most popular website in the world.
Last October, a similar misconfigured Microsoft Azure endpoint led to the BlueBleed data leak which exposed 150,000 company data across 123 countries. In the same week as Microsoft is trying to sell its new Microsoft Security Copilot cybersecurity product to businesses, the latest vulnerability in Microsoft’s cloud system is being retroactively revealed.
Wiz stated that there was no evidence that the vulnerability was exploited prior to its patch. However, Azure Active Directory logs will not necessarily give details about previous activity and Wiz claims the issue could be exploitable for many years. Wiz suggests that all organizations using Azure Active Directory should inspect their application logs for suspicious logins.