Azure AD Vulnerability affecting Bing Search Fixed by Microsoft
Microsoft fixed a misconfiguration problem affecting its Azure Active Directory (AAD) identity and access management service which allowed unauthorized entry to a number of “high-impact” apps.
Cloud security company Wiz said in a report that one of these applications, a content management system (CMS) that runs Bing.com, “allowed us to not only manipulate results from searches, but also launch significant impact XSS attacks on Bing users.” “Those attacks may compromise user personal information, including emails sent through Outlook and documents stored in SharePoint.”
After receiving reports of the problems in the months of January and February 2022, Microsoft fixed them and gave Wiz a $40,000 bug reward. Redmond claimed there was no proof that the incorrect versions were used in the open.
The vulnerability’s core is caused by “Shared Responsibility confusion,” in which an Azure service may be mistakenly set up to accept users from any Microsoft tenant, potentially opening the door to unwanted access. It’s interesting to note that few of Microsoft’s own internal applications were discovered to display this behavior thus allowing outside parties to access read and write access to the impacted apps.
This involves the Bing Trivia app, which a cybersecurity firm leveraged as a component of an attack chain dubbed BingBang to change search outcomes in Bing and even modify content on the homepage.
The vulnerability could be leveraged to launch a Cross-Site Scripting (XSS) attack on the website Bing.com and extract the victim’s Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive data, which would make the situation worse.
See more: Cylance Ransomware targeting Linux and Windows Devices
According to Wiz analyst Hillai Ben-Sasson, “A malicious attacker using Identical access could have hijacked the most famous search engine results with the similar payload and millions of users’ confidential information is leaked. Other programmes that have been found to be vulnerable to the misconfiguration issue include Mag News, Central News Service (CNS), Contact Center, PoliCheck, Power Automate Blog, and COSMOS.
The change occurs after corporate penetration testing company NetSPI disclosed information about a cross-tenant vulnerability within the Power Platform’s connections that could be exploited to access private information.
See more: 30K patients impacted by Ransomware Attack in Maryland hospital
The deserialization flaw was fixed by Microsoft in December 2022 after a responsible exposure in September 2022. The study comes after updates to fix Super FabriXss (CVE-2023-23383, CVSS score: 8.2), an unauthenticated remote code execution the vulnerability in Azure Service Fabric Explorer (SFX) that is mirrored XSS.
Author: Harsh Vikram Shahi
We hope you found article interesting. For more exclusive content follow us on Facebook, Twitter and LinkedIn