Microsoft fixes Azure BingBang bug that allowed Bing search hijacking and leaked private data

BingBang

Microsoft has addressed a serious flaw in Azure Active Directory which was dubbed BingBang by the security researchers that discovered it.

The vulnerability not only made it possible to manipulate Bing search results, but also to access private data from Outlook, Office 365 and Teams. The issue stemmed from an Azure misconfiguration; it dates back to January this year, but Microsoft has only just plugged the hole.

See also:

Security analysts from Wiz Research explain that they found a new attack vector in Azure Active Directory that exposed misconfigured applications to unauthorized access. Describing these misconfigurations as "fairly popular" the researchers say that around a quarter of multi-tenant applications turned out to be vulnerable.

In a blog post, the team says:

We found several high-impact, vulnerable Microsoft applications. One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users. Those attacks could compromise users' personal data, including Outlook emails and SharePoint documents.

The security researchers at Wiz shared a video that shows the vulnerability being exploited:

Microsoft says that it has now "addressed an authorization misconfiguration for multi-tenant applications that use Azure AD" The company says that the issue "impacted a small number of our internal applications".

Summarizing its response to the findings, Microsoft says:

  • Microsoft immediately corrected the misconfiguration and added additional authorization checks to address the issue and confirmed that no unintended access had occurred.
  • Microsoft has confirmed that all the actions outlined by the researchers are no longer possible because of these fixes.
  • Microsoft made additional changes to reduce the risk of future misconfigurations.

Technical details of the misconfiguration are available in the MRSC blog post.

One Response to Microsoft fixes Azure BingBang bug that allowed Bing search hijacking and leaked private data

  1. Pingback: Microsoft fixes Azure BingBang bug that allowed Bing search hijacking and leaked private data – NEUS CORP

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.