The Wiz Research team was awarded $40,000 as a bug bounty by Microsoft for the responsible disclosure of the vulnerability.
Wiz Research identified a new attack vector in Azure Active Directory (AAD) that compromised Microsoft’s Bing.com. The vulnerability allowed unauthorized access to misconfigured applications, and several Microsoft applications, including the Content Management System (CMS), powering Bing.com.
Researchers were able to take over the functionality of Bing.com, modify search results, and potentially enable the Office 365 credential theft of millions of Bing users. Wiz Research named this attack “BingBang,” and it required no code to exploit.
Microsoft fixed its vulnerable applications and modified some AAD functionality to reduce customer exposure after Wiz Research responsibly disclosed the issues. Microsoft awarded Wiz Research $40,000 as a bug bounty.
The researchers found that 25% of the multi-tenant apps scanned on the internet were vulnerable, including a Microsoft-made app named “Bing Trivia.” After logging into Bing Trivia with their own Azure user, they found a CMS linked to Bing.com.
In addition, they temporarily altered the content of a keyword in the CMS to prove that they could control arbitrary search results on Bing.com. If someone with malicious intentions accessed the Bing Trivia app page, they could alter search results, spread false information, and attempt to trick people into giving away their personal information by impersonating other websites.
The researchers further discovered that they could use Cross-Site Scripting (XSS) to compromise the Office 365 token of any Bing user. Bing and Office 365 are integrated, and Bing has a “Work” section that allows users to search their Office 365 data. Using this feature, the researchers crafted an XSS payload that stole Office 365 access tokens from users.
With a stolen token, a potential attacker could access Bing users’ Office 365 data, including Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. Millions of users could have been exposed to malicious search results and Office 365 data theft.
In a report, Wiz warned that any organization with Azure Active Directory (AAD) applications configured as multi-tenant and lacking authorization checks was at risk of similar attacks. Therefore, administrators are advised to ensure that multi-tenant access is properly configured or to switch to single-tenant authentication if multi-tenancy is not required. Checking logs for past activity in vulnerable applications is also recommended.
The vulnerability discovered in Bing.com serves as a reminder that a simple developer mistake can have critical implications, potentially disrupting one of the world’s most popular websites. The cloud’s flexibility of infrastructure accelerates innovation but also brings changes and new risks.
In this case, a user can accidentally expose a sensitive service to the internet with the click of a button. As cloud builders, the agility with which we develop and deploy applications should be matched by our security practices, and security should be embedded in every step of the development process.