Security News > 2023 > March > Bing search results hijacked via misconfigured Microsoft app
A misconfigured Microsoft application allowed anyone to log in and modify Bing.com search results in real-time, as well as inject XSS attacks to potentially breach the accounts of Office 365 users.
Wiz researchers found that when creating an application in Azure App Services and Azure Functions, the app can be mistakenly configured to allow users from any Microsoft tenant, including public users, to log in to the application.
Wiz's analysts found a misconfigured "Bing Trivia" app that allowed anyone to log in to the application and access its CMS. However, they soon discovered that the application was directly linked to Bing.com, allowing them to modify the live content shown in Bing search results.
To verify they had complete control, the researchers attempted and succeeded in modifying search results for the "Best soundtracks" search term, adding arbitrary results to the top carousel.
Microsoft downplayed the issue, saying that the misconfiguration that allowed external parties read and write access impacted only a small number of internal applications and was corrected immediately.
"For the remainder of multi-tenant resource applications that rely on access from clients without a service principal, we have provided instructions in an Azure Service Health Security Advisory to Global Admins and in the Microsoft 365 Message Center."