Security News > 2023 > April > Microsoft Fixes New Azure AD Vulnerability Impacting Bing Search and Major Apps
Microsoft has patched a misconfiguration issue impacting the Azure Active Directory identity and access management service that exposed several "High-impact" applications to unauthorized access.
"One of these apps is a content management system that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users," cloud security firm Wiz said in a report.
The issues were reported to Microsoft in January and February 2022, following which the tech giant applied fixes and awarded Wiz a $40,000 bug bounty.
The crux of the vulnerability stems from what's called "Shared Responsibility confusion," wherein an Azure app can be incorrectly configured to allow users from any Microsoft tenant, leading to a potential case of unintended access.
This includes the Bing Trivia app, which the cybersecurity firm exploited to alter search results in Bing and even manipulate content on the homepage as part of an attack chain dubbed BingBang.
Following responsible disclosure in September 2022, the deserialization vulnerability was resolved by Microsoft in December 2022.
News URL
https://thehackernews.com/2023/04/microsoft-fixes-new-azure-ad.html
Related news
- Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser (source)
- Microsoft creates fake Azure tenants to pull phishers into honeypots (source)
- CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094) (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Microsoft warns Azure Virtual Desktop users of black screen issues (source)