The Register

Azure blunder left Bing results editable, MS 365 accounts potentially exposed

An Azure Active Directory (AAD) misconfiguration by Microsoft in one of its own cloud-hosted applications could have allowed miscreants to subvert the IT giant’s Bing search engine – even changing search results.

User information including Outlook emails, calendars, and Teams messages was also left vulnerable to potential theft and snooping.

Wiz researchers discovered the security blunder, and said the error – which they dubbed BingBang – was due to an authorization misconfiguration by Microsoft for its own multi-tenant apps in AAD.

(And this is after Redmond passed around notes on how to secure hosts on rival clouds.)

Apps that use AAD can be configured as single-tenant or multi-tenant. Multi-tenant apps allow logins from potentially any Azure user. It’s the developer’s responsibility to perform additional authorization checks and decide which users should be allowed to access the app.

However, as one of the researchers, Hillai Ben-Sasson, noted in a series of tweets about the attack path, “a single checkbox is all that separates an app from becoming ‘multi-tenant’.”

And in a subsequent blog, he described it as a “textbook example of Shared Responsibility confusion.”

“This complicated architecture is not always evident to developers, and the responsibility to validate the end-users’ tokens is unclear,” Ben-Sasson wrote. “As a result, configuration and validation mistakes are quite prevalent.”

In fact, 25 percent of all the multi-tenant apps that the Wiz team scanned were vulnerable to this type of authentication bypass, we’re told.

The team “spotted several” misconfigured Microsoft-managed apps, including one called Bing Trivia. The researchers created a new account and were able to log in to Bing Trivia, where they found a Content Management System (CMS), and altered the “best soundtracks” search query – changing the first item, Dune (2021), to the team’s favorite, Hackers (1995). 

The altered result immediately appeared on Bing.

“This proved that we could control Bing’s search results, and as we would later confirm, this control extended to Bing’s homepage content as well,” Ben-Sasson said.

After changing the search results, the researchers wanted to test whether it was possible to use this security weakness to perform cross-site scripting (XSS) attacks, which would involve miscreants running malicious scripting code in a victim’s browser by injecting data into a trusted Microsoft webpage. That code could, for instance, potentially access and exfiltrate the victim’s account, if successfully executed in their browser when they visited a page poisoned by the team.

Wiz noticed Bing’s “Work” section allows users to search their Office 365 (now known as Microsoft 365) data, and that this section was based on the Office 365 API. “One specific endpoint created JWT tokens for the Office 365 API, so we generated a new XSS payload via this endpoint,” Ben-Sasson wrote. 

In addition to Bing Trivia, Wiz found other internal Microsoft-managed apps with similar misconfigurations. 

These included a control panel for the MSN Newsletter called Mag News, an API for Microsoft’s Central Notification Service, Contact Center, an internal tool called PoliCheck that scans for forbidden words in Microsoft code, a WordPress admin panel that allowed Wiz to publish fake posts to a trusted Microsoft.com domain, and finally Microsoft’s Cosmos file management system with more than four exabytes of files.

The researchers reported their findings to Microsoft, which issued fixes for all of these applications and awarded Wiz a $40,000 bug bounty. The team says it’s going to donate the prize to a good cause.

“Microsoft has confirmed that all the actions outlined by the researchers are no longer possible because of these fixes,” Redmond said in its own blog, adding that its security response team made other changes “to reduce the risk of future misconfigurations” by Redmond and its customers. ®

READ MORE HERE