Azure blunder left Bing results editable, MS 365 accounts potentially exposed

2023-03-30 23:30

A misconfiguration in Microsoft's Azure Active Directory could have allowed miscreants to subvert Microsoft's Bing search engine - even changing search results.

The team "Spotted several" of these misconfigured apps, including one called Bing Trivia.

The researchers created a new account and were able to log in to Bing Trivia, where they found a Content Management System, and altered the "Best soundtracks" query - changing the first item, "Dune," to the team's favorite, "Hackers."

Wiz noticed Bing's "Work" section that allows users to search their Office 365 data, and that this section was based on the Office 365 API. "One specific endpoint created JWT tokens for the Office 365 API, so we generated a new XSS payload via this endpoint," Ben-Sasson wrote.

In addition to Bing Trivia, Wiz found other internal Microsoft apps with similar misconfigurations.

These included a control panel for the MSN Newsletter called Mag News, an API for Microsoft's Central Notification Service, Contact Center, an internal tool called PoliCheck that scans for forbidden words in Microsoft code, a WordPress admin panel that allowed Wiz to publish fake posts to a trusted Microsoft.com domain, and finally Microsoft's Cosmos file management system with more than four exabytes of files.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/03/30/wiz_bing_takeover/

#365 #azure

News URL

Related news