Cybersecurity researchers have discovered a flaw affecting Microsoft Bing that allowed them to take control of several major features of the search engine, including the one that helps modify the results.
Discovered on Microsoft Bing by the cyber teams of Wiz, the vulnerability was corrected on February 2, just a few days before the announcement of the integration of the ChatGPT conversational robot into the search engine. But before it was plugged, the flaw was problematic enough in that it could have, if exploited by malicious individuals, compromised the personal data of millions of Bing users.
Microsoft, a stone’s throw from the BingBang
New York researchers from Wiz have detailed a flaw that stemmed from a misconfiguration of Azure Active Directory (Azure AD or AAD), Microsoft’s cloud-based identity and access management service. Remember that Azure AD provides access to platforms such as Microsoft 365, the Azure portal but also to many other applications hosted in the Cloud.
This flaw exposed misconfigured applications to unauthorized access. In other words, anyone could log into any of the affected apps or features to make changes, or data grabs.
One of the affected applications was a content management system (CMS) that powers Bing.com. The researchers were thus able to take control of several features of the engine, such as the modification of search results, or the theft of Microsoft 365 credentials of millions of users. The only condition to achieve this? Have a Microsoft account.
A flaw that opened access to many applications in the Microsoft galaxy
The flaw could have had cascading consequences, since getting your hands on Microsoft 365 credentials then opened up access to Outlook emails and private documents of harmed users. ” Exploiting the vulnerability was simple and didn’t require a single line of code “, insist the teams of Wiz.
On the modification of the search results, the experts chose the query of the “best soundtracks” and modified, from the CMS, the first result obtained. The one from the movie dunereleased in 2021, has therefore become that of the film… Hackersreleased in 1995. Note in passing the humor of the researchers, in the choice of this film brought to the screen by Jonny Lee Miller and Angelina Jolie, who also thought of changing the thumbnail.
Wiz was then able to compromise the Office 365 token of any Bing user and was able, by working with Microsoft, to access users’ 365 data, which includes Outlook, calendars, but also messages on Teams, SharePoint documents and files hosted on OneDrive, the company’s online storage platform. These tests focused on a researcher from Wiz, and “ no testing has been done on other Bing users “, reassures the specialized company.
More fear than harm therefore for a flaw, since corrected, which could have given royal access to the information and private files of millions and millions of Bing users, 27e most visited site in the world.
Source : Wiz-Blog
1