A dangerous vulnerability was detected in Microsoft’s Bing search engine earlier this year that allowed users to alter search results and access other Bing users’ private information from the likes of Teams, Outlook, and Office 365. Back in January, security researchers at Wiz discovered a misconfiguration in Azure — Microsoft’s cloud computing platform — that compromised Bing, allowing any Azure user to access applications without authorization.
Huge Microsoft exploit allowed users to manipulate Bing search results and access Outlook email accounts
Huge Microsoft exploit allowed users to manipulate Bing search results and access Outlook email accounts
The vulnerability was detected in the Azure Active Directory (AAD) identity and access management service. Applications using the platform’s multi-tenant permissions are accessible by any Azure user, requiring developers to validate which users can access their apps. This responsibility isn’t always clear, making misconfigurations a common occurrence — Wiz claims 25 percent of all multi-tenant apps it scanned lacked proper validation.
One of these apps was Bing Trivia. Researchers were able to log in to the app using their own Azure accounts, where they discovered a content management system (CMS) that allowed them to control live search results on Bing.com. Wiz highlights that anyone who landed on the Bing Trivia app page could have potentially manipulated Bing’s search results to launch misinformation or phishing campaigns.
An investigation into Bing’s Work section also revealed that the exploit could be used to access other users’ Office 365 data, exposing Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. Wiz demonstrated that it successfully used the vulnerability to read emails from a simulated victim’s inbox. Over 1,000 apps and websites on Microsoft’s cloud were discovered with similar misconfiguration exploits, including Mag News, Contact Center, PoliCheck, Power Automate Blog, and Cosmos.
“A potential attacker could have influenced Bing search results and compromised Microsoft 365 emails and data of millions of people,” Ami Luttwak, Wiz’s chief technology officer, said to The Wall Street Journal. “It could have been a nation-state trying to influence public opinion or a financially motivated hacker.”
The exploit was patched on February 2nd, just days before Microsoft launched Bing’s AI-powered Chat feature
The Bing vulnerability was reported to Microsoft’s Security Response Center on January 31st. Microsoft fixed the problem on February 2nd, according to Luttwak (seen via The Wall Street Journal). Wiz later flagged the other vulnerable applications on February 25th and said Microsoft confirmed all reported issues had been fixed on March 20th. Microsoft also said that the company has made additional changes to reduce the risk of future misconfigurations.
Bing has been enjoying a surge in popularity of late, surpassing a milestone of 100 million daily active users earlier this month following the launch of its AI-powered Bing Chat feature on February 7th. Had the issue not been patched a few days prior, Bing’s explosive growth could have pushed the dangerous, highly accessible security exploit more widely to millions of users — according to Similarweb, Bing is the 30th most visited website in the world.
In October last year, a similarly misconfigured Microsoft Azure endpoint resulted in the BlueBleed data breach that exposed the data of 150,000 companies across 123 countries. The latest vulnerability in Microsoft’s cloud network is also being retroactively disclosed in the same week that the company is attempting to sell its new Microsoft Security Copilot cybersecurity solution to businesses.
Wiz said there isn’t any evidence that the vulnerability had been exploited before it was patched. That said, Azure Active Directory logs won’t necessarily provide details regarding previous activity, and Wiz claims that the issue could have been exploitable for years. Wiz recommends that organizations with Azure Active Directory applications check their application logs for any suspicious logins that would indicate a security breach.