A misconfiguration in Microsoft’s Azure Active Directory (AAD) could have allowed miscreants to subvert Microsoft’s Bing search engine – even changing search results. User information including Outlook emails, calendars and Teams messages was also vulnerable.
Wiz security researchers discovered the issue, and say the attack – which they dubbed BingBang – was due to an authorization misconfiguration for multi-tenant apps in AAD.
Apps that use AAD can be configured as single-tenant or multi-tenant. Multi-tenant apps allow logins from potentially any Azure user. It’s the developer’s responsibility to perform additional authorization checks and decide which users should be allowed to access the app.
However, as one of the researchers, Hillai Ben-Sasson, noted in a series of tweets about the attack path, “a single checkbox is all that separates an app from becoming ‘multi-tenant’.”
And in a subsequent blog, he described it as a “textbook example of Shared Responsibility confusion.”
“This complicated architecture is not always evident to developers, and the responsibility to validate the end-users’ tokens is unclear,” Ben-Sasson wrote. “As a result, configuration and validation mistakes are quite prevalent.”
In fact, 25 percent of all the multi-tenant apps that the Wiz team scanned were vulnerable to this type of authentication bypass, we’re told.
The team “spotted several” of these misconfigured apps, including one called Bing Trivia. The researchers created a new account and were able to log in to Bing Trivia, where they found a Content Management System (CMS), and altered the “best soundtracks” query – changing the first item, “Dune (2021),” to the team’s favorite, “Hackers (1995).”
I hacked into a @Bing CMS that allowed me to alter search results and take over millions of @Office365 accounts.How did I do it? Well, it all started with a simple click in @Azure… 👀This is the story of #BingBang 🧵⬇️ pic.twitter.com/9pydWvHhJs
— Hillai Ben-Sasson (@hillai) March 29, 2023
The altered result immediately appeared on Bing.
“This proved that we could control Bing’s search results, and as we would later confirm, this control extended to Bing’s homepage content as well,” Ben-Sasson said.
After changing the search results, the researchers wanted to test a cross-site scripting (XSS) attack which would allow miscreants to send malicious code to a victim’s browser by injecting data into a trusted website.
Wiz noticed Bing’s “Work” section that allows users to search their Office 365 (now known as Microsoft 365) data, and that this section was based on the Office 365 API. “One specific endpoint created JWT tokens for the Office 365 API, so we generated a new XSS payload via this endpoint,” Ben-Sasson wrote.
In addition to Bing Trivia, Wiz found other internal Microsoft apps with similar misconfigurations.
These included a control panel for the MSN Newsletter called Mag News, an API for Microsoft’s Central Notification Service, Contact Center, an internal tool called PoliCheck that scans for forbidden words in Microsoft code, a WordPress admin panel that allowed Wiz to publish fake posts to a trusted Microsoft.com domain, and finally Microsoft’s Cosmos file management system with more than four exabytes of files.
The researchers reported their findings to Microsoft, which issued fixes for all of these applications and awarded Wiz a $40,000 bug bounty. The team says it’s going to donate the prize to a good cause.
“Microsoft has confirmed that all the actions outlined by the researchers are no longer possible because of these fixes,” Redmond said in its own blog, adding that its security response team made other changes “to reduce the risk of future misconfigurations.” ®