Security News > 2023 > March > Bing search results hijacked via misconfigured Microsoft app

Bing search results hijacked via misconfigured Microsoft app
2023-03-30 17:05

A misconfigured Microsoft application allowed anyone to log in and modify Bing.com search results in real-time, as well as inject XSS attacks to potentially breach the accounts of Office 365 users.

Wiz researchers found that when creating an application in Azure App Services and Azure Functions, the app can be mistakenly configured to allow users from any Microsoft tenant, including public users, to log in to the application.

Wiz's analysts found a misconfigured "Bing Trivia" app that allowed anyone to log in to the application and access its CMS. However, they soon discovered that the application was directly linked to Bing.com, allowing them to modify the live content shown in Bing search results.

To verify they had complete control, the researchers attempted and succeeded in modifying search results for the "Best soundtracks" search term, adding arbitrary results to the top carousel.

Microsoft downplayed the issue, saying that the misconfiguration that allowed external parties read and write access impacted only a small number of internal applications and was corrected immediately.

"For the remainder of multi-tenant resource applications that rely on access from clients without a service principal, we have provided instructions in an Azure Service Health Security Advisory to Global Admins and in the Microsoft 365 Message Center."


News URL

https://www.bleepingcomputer.com/news/security/bing-search-results-hijacked-via-misconfigured-microsoft-app/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2819 161 4399