Microsoft fixes Azure BingBang bug that allowed Bing search hijacking and leaked private data

Microsoft has addressed a serious flaw in Azure Active Directory which was dubbed BingBang by the security researchers that discovered it.

The vulnerability not only made it possible to manipulate Bing search results, but also to access private data from Outlook, Office 365 and Teams. The issue stemmed from an Azure misconfiguration; it dates back to January this year, but Microsoft has only just plugged the hole.

See also:

• Microsoft is bringing a new Registry Preview utility to PowerToys
• Microsoft releases KB5023778 update for Windows 11 bringing fixes, taskbar improvements and Start menu notifications
• Microsoft's Windows 12 plans revealed

Security analysts from Wiz Research explain that they found a new attack vector in Azure Active Directory that exposed misconfigured applications to unauthorized access. Describing these misconfigurations as "fairly popular" the researchers say that around a quarter of multi-tenant applications turned out to be vulnerable.

In a blog post, the team says:

We found several high-impact, vulnerable Microsoft applications. One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users. Those attacks could compromise users' personal data, including Outlook emails and SharePoint documents.

The security researchers at Wiz shared a video that shows the vulnerability being exploited:

Microsoft says that it has now "addressed an authorization misconfiguration for multi-tenant applications that use Azure AD" The company says that the issue "impacted a small number of our internal applications".

Summarizing its response to the findings, Microsoft says:

• Microsoft immediately corrected the misconfiguration and added additional authorization checks to address the issue and confirmed that no unintended access had occurred.
• Microsoft has confirmed that all the actions outlined by the researchers are no longer possible because of these fixes.
• Microsoft made additional changes to reduce the risk of future misconfigurations.

Technical details of the misconfiguration are available in the MRSC blog post.