Posted on April 2, 2023 at 5:01 PM
Microsoft patches Azure AD misconfiguration issue affecting Bing and other apps
Microsoft has issued a patch to a misconfiguration issue that affected the Azure Active Directory (AAAD) identity and access management service. The issue also affected the access management service, exposing multiple high-impact applications to hacking attacks that could have allowed a hacker to gain unauthorized access.
Microsoft releases patch for Azure AD vulnerability
Wiz, a cloud security firm, issued a statement saying that the apps that were under threat involved a content management system (CMS) that powers the Bing search engine. The researchers said that the flaw allowed them to alter the search results and launch a high level of XSS attacks on the users of the Bing search engine.
The Wiz report further said, “One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users.”
The report further said that the attacks launched by the threat actors posed a risk to users’ personal data. The hackers could gain access to platforms such as Outlook emails and SharePoint documents, which raises the crucial nature of the flaw and the impact it could have on systems if exploited.
The issues around the Azure Active Directory were reported to Microsoft between January and February 2022. After the discovery, the tech giant issued a patch to fix the issue. Wiz also received a $40,000 bug bounty for detecting the issue.
According to Microsoft, there were zero signs that the misconfiguration issue had been exploited in the wild. The company also added that it had introduced new authorization checks to address the matter. It clarified that an exploit was no longer possible because fixes to the matter had already been issued.
The nature of the vulnerability reported in this breach is known as “Shared Responsibility confusion.” In this case, an Azure app can be configured incorrectly, thereby enabling users from any Microsoft tenant to access the system. The issue results in the potential case of unintended access to user systems.
Several internal apps by Microsoft were identified to have shown similar behavior. These apps allowed external parties to gain read and write permissions to the compromised application, threatening the users and the systems.
Exploit affected search results
Some of the apps that were affected by this vulnerability include the Bing Trivia application. The cybersecurity company exploited this app to do their research, and they altered the search results in the Bing engine. The cybersecurity firm also manipulated content within the homepage in an attack chain named BingBang.
Bing ranks as the 27th most-visited website globally, with over one billion monthly pageviews. Millions of users might have been exposed to hacking attacks that exposed them to malicious search results and data theft on Office 365.
The exploit could also have been weaponized, making the entire situation worse. As such, hackers could have used the flaw to cause a cross-site scripting (XSS) attack targeting the Bing.com search engine. Moreover, the hackers could have also extracted Outlook emails from the victim. The hackers might have compromised other personal details, including calendars, Teams messages, OneDrive files, and SharePoint documents.
One of the researchers at Wiz, Hillai Ben-Sasson, said that a threat actor with similar access might have compromised the top search results. The hackers might have compromised the search results using the same payload and later leaked sensitive data belonging to millions of users.
Besides Bing, multiple other applications might have also been vulnerable to the misconfiguration issue on the Azure Active Directory. These applications include Central Notification Service (CNS), Contact Center, COSMOS, Mag News, Policheck, and Power Automate Blog.
This development follows a report by the NetSPI enterprise penetration testing firm. The report exposed multiple details about a cross-tenant flaw within Power Platform connectors. The vulnerability could be exploited to secure access to sensitive user data.
Microsoft has been prompt in releasing patches to critical vulnerabilities. After a responsible disclosure released in September 2022, the tech giant resolved the deserialization vulnerability in December last year.
The research also comes after the release of patches made to fix the issue on Super FabriXss, which was tracked under CVE-2023-23383 with a CVSS score of 8.2. The flaw is a reflected XSS vulnerability detected in the Azure Service Fabric Explorer (SFX). The flaw could result in unauthenticated remote code execution.