Microsoft Azure Active Directory (Azure AD) appears vulnerable to a new vulnerability discovered by security researchers. It was discovered that a vulnerability in Bing search results allowed users to alter the results and view users' private information. This included Outlook emails, calendars, and Microsoft Teams messages stored.
In the event of a misconfiguration in Azure Active Directory (AAD) in Microsoft's cloud-hosted applications, miscreants could have compromised Bing's search engine to subvert Microsoft's cloud-hosted services. The results could even be changed on the Bing home page if the request succeeds.
Several user accounts were left vulnerable to theft and snooping, as well as Outlook emails, calendars, and Teams messages.
An Azure Active Directory (Azure AD) misconfiguration has been identified by Wiz researchers as part of the BingBang campaign. The issue was discovered in January this year.
Microsoft's multitenant applications in Azure AD were misconfigured due to misconfiguration in the database. A developer must perform additional authentication steps to prevent these applications from being logged into by any Azure user, as these applications allow users to log into them from anywhere.
In AAD, apps can be single-tenant or multi-tenant, depending on this need and the user's choice. Azure users can log in to a multi-tenant application since it is multi-tenant. Developers are responsible for performing additional authorization checks and deciding which users are allowed to use the app, it is their responsibility to do so.
Approximately 25 percent of the multi-tenant applications they examined contained errors as a result of a lack of proper validation, based on Wiz researchers' findings. The researchers logged into Bing Trivia the application by creating an account and signing in to their account. The project team found a Content Management System (CMS) to manage the content, and they modified the search query based on their favorite team, Hackers (1995), to be the first item in the search results, instead of Dune (2021).
Security experts have also discovered that it is also possible to exploit this vulnerability to execute cross-site scripting attacks (XSS).
Further, Bing's Work section offers users to search Office 365 data that has been authorized for use by other employees who also have access to Office 365 in their organization. Email, calendar, Teams messages, OneDrive files, and SharePoint documents are some of the items that are included in this group.
Wiz researchers say several thousand cloud-based applications and websites are vulnerable. Mag News, Power Automated Blog, Contact Center, PoliCheck, and Cosmos are a few of the tools included in the Cosmos file management system and include Mag News.
In response to the change in search results, researchers wanted to see if this vulnerability could be exploited to conduct cross-site scripting (XSS) attacks, a form of malicious scripting that occurs when malicious scripts are injected into trusted Microsoft websites, causing them to run malicious scripts in a victim's browser. By executing the code in a victim's browser, an attacker would be able to access that victim's account, and if that code is successful, it could exfiltrate their data. In this case, the team poisoned a page so visitors would be able to see what they were supposed to see.
It has been found that other internal Microsoft-managed apps that were misconfigured like Bing Trivia were delivered similarly using Wiz.
There was also Mag News, another control panel that controlled MSN Newsletter, a Microsoft API for the Central Notification Service, and Contact Center, in addition to Mag News. In addition, there was a Microsoft internal tool called PoliCheck, used by the company to check for forbidden words in code. In addition, Wiz published fake posts on a Microsoft.com domain, which was secured through the WordPress admin panel. It contained more than four exabytes of data stored in a Microsoft Cosmos file storage system.
Microsoft responded by issuing fixes for all of these applications and awarding Wiz a $40,000 bug bounty award as a result of the researchers discovering the vulnerabilities.
It was reported by security researchers to Microsoft's Security Response Center on January 31, 2023, that the Bing vulnerability had been identified. The vulnerability has already been fixed in all affected applications by Microsoft as a result of updates released previously. It is important to note that no evidence has been found that attackers have exploited this vulnerability in the wild as a result of the flaw.
The good news is that Microsoft has made some changes to its Azure Active Directory applications in an attempt to prevent misconfigurations in the future. To track suspicious activity and prevent security breaches, the Wiz team recommends IT administrators check app logs.
