Earlier this year, a dangerous vulnerability was discovered in Microsoft’s Bing search engine that allowed users to alter search results and access other Bing users’ private information from applications such as Teams, Outlook, and Office 365. The issue was discovered by security researchers at Wiz in January, who found a misconfiguration in Microsoft’s cloud computing platform, Azure, that compromised Bing. As a result, any Azure user could access applications without authorization.
The vulnerability was found in the Azure Active Directory (AAD) identity and access management service. Applications using the platform’s multi-tenant permissions are accessible by any Azure user, requiring developers to validate which users can access their apps. However, misconfigurations are common, with 25% of all multi-tenant apps lacking proper validation. One of these apps was Bing Trivia, where researchers were able to control live search results on Bing.com. Anyone who landed on the Bing Trivia app page could have potentially manipulated Bing’s search results to launch misinformation or phishing campaigns.
The exploit could also be used to access other users’ Office 365 data, exposing Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. Wiz successfully used the vulnerability to read emails from a simulated victim’s inbox. Over 1,000 apps and websites on Microsoft’s cloud were discovered with similar misconfiguration exploits.
According to Ami Luttwak, Wiz’s chief technology officer, “a potential attacker could have influenced Bing search results and compromised Microsoft 365 emails and data of millions of people. It could have been a nation-state trying to influence public opinion or a financially motivated hacker.” The Bing vulnerability was reported to Microsoft’s Security Response Center on January 31st and fixed on February 2nd.
Had the issue not been patched a few days prior, Bing’s explosive growth could have pushed the dangerous, highly accessible security exploit more widely to millions of users. Bing is the 30th most visited website in the world, with over 100 million daily active users. In October last year, a similarly misconfigured Microsoft Azure endpoint resulted in the BlueBleed data breach that exposed the data of 150,000 companies across 123 countries.
Wiz recommends that organizations with Azure Active Directory applications check their application logs for any suspicious logins that would indicate a security breach. There isn’t any evidence that the vulnerability had been exploited before it was patched. However, Azure Active Directory logs won’t necessarily provide details regarding previous activity, and the issue could have been exploitable for years. Microsoft confirmed that all reported issues had been fixed on March 20th and that the company has made additional changes to reduce the risk of future misconfigurations.