Microsoft has patched a high-severity vulnerability in its Bing search engine, which allowed potential menace actors to not solely alter search outcomes, but in addition entry folks’s Workplace 365 knowledge (opens in new tab).
Cybersecurity researchers from Wiz found the flaw in January 2023, figuring out it as a misconfiguration within the Azure Energetic Listing (AAD) identification and entry administration service in Microsoft’s Azure cloud platform.
Asides from altering search engine outcomes, the flaw might permit entry to different folks’s Workplace 365 knowledge, akin to Outlook emails, calendars, Groups messages, OneDrive recordsdata, and extra.
A typical incidence
Some functions on Azure can use multi-tenant permission, and thus be accessible by any Azure person. Meaning builders have to arrange a option to validate customers and hold tabs on who will get to entry what. In line with The Verge, that is the place many get it fallacious, as misconfigurations on this respect are “a typical incidence.” Wiz says 25% of all multi-tenant apps it scanned didn’t have good validation.
That is precisely what occurred to Bing Trivia, and that allowed the researchers to log in with their very own Azure accounts. As soon as logged in, they had been granted entry to a content material administration system (CMS) which allow them to alter reside search outcomes from Bing. The researchers mentioned that they didn’t do something spectacular right here – anybody who knew learn how to attain the Bing Trivia web page might have carried out the identical.
Moreover altering search engine outcomes, the researchers additionally found they got entry to different folks’s Workplace 365 knowledge, akin to Outlook emails, calendars, Groups messages, OneDrive recordsdata, and extra. The researchers examined it out on a mock electronic mail inbox and confirmed the vulnerability. However the vulnerability’s attain doesn’t finish right here – there are greater than 1,000 apps and web sites on Microsoft cloud that had comparable abusable misconfigurations, akin to Magazine Information, PoliCheck, Cosmos, and extra.
“A possible attacker might have influenced Bing search outcomes and compromised Microsoft 365 emails and knowledge of hundreds of thousands of individuals,” Ami Luttwak, Wiz’s chief expertise officer, instructed The Wall Avenue Journal. “It might have been a nation-state making an attempt to affect public opinion or a financially motivated hacker.”
Microsoft was tipped off on January 31, and by March 20, addressed the vulnerability solely. The researchers didn’t discover any proof of prior abuse.
By way of: The Verge (opens in new tab)