Researchers from Wiz have discovered a way to allow for search engine manipulation and account takeover. The research in question focuses on several Microsoft applications, with everything stemming from a new type of attack aimed at Azure Active Directory.
Azure Active Directory is a single sign-on and multi-factor authentication service used by organisations around the world. In Microsoft’s own words, “Governance ensures the right people have access to the right resources, and only when they need it”.
Unfortunately, a misconfiguration in how Azure was set up resulted in a collection of potentially serious issues. According to Wiz, once the team started scanning for exposed applications, no fewer than 35% of the apps they scanned were vulnerable to authentication bypass.
Perhaps the most striking example of this particular attack is how an exposed admin interface tied to Bing allowed any user to access it. Bypassing authentication resulted in a functional admin panel for the search engine. The researchers were able to not only change returned results for searches like “Best soundtrack”, but also take things quite a bit further.
This same access also allowed the researchers to inject a Cross Site Scripting attack (XSS) and compromise any Bing user’s Office365 credentials. From there, they could access:
- Private data
- Outlook emails
- SharePoint files
- Teams messages
This particular attack has been dubbed “BingBang”. Wiz notes that Bing is the 27th most visited website in the world, so that’s clearly a big target pool to play with. Additionally, other vulnerabilities existed in numerous other applications. These range from Mag News, a control panel for MSN newsletters and PoliCheck, a forbidden word checker, to Power Automate Blog (a WordPress admin panel) and CNS API, a Central Notification Service.
The potential for mischief here is wide-ranging. These applications can send internal notifications to Microsoft developers, or fire out emails to a large collection of recipients.
Thankfully Microsoft was notified about these issues, and by the time the latest Bing update was rolled out the issues had been addressed. From its Guidance Document:
Microsoft has addressed an authorization misconfiguration for multi-tenant applications that use Azure AD, initially discovered by Wiz, and reported to Microsoft, that impacted a small number of our internal applications. The misconfiguration allowed external parties read and write access to the impacted applications.
Microsoft immediately corrected the misconfiguration and added additional authorization checks to address the issue and confirmed that no unintended access had occurred.
Microsoft has confirmed that all the actions outlined by the researchers are no longer possible because of these fixes.
Microsoft made additional changes to reduce the risk of future misconfigurations.
The initial Bing issue was first reported to Microsoft on January 31, and it was fixed the same day. The additional vulnerabilities were reported on February 25, with fixes for those beginning on February 27 and ending March 20.
While there doesn’t seem to be any solid evidence of these flaws being abused in the wild, Wiz notes that according to Microsoft, Azure Active Directory logs are “insufficient to provide insight on past activity”. As a result, you would need to view application logs and check for any evidence of dubious logins.
Managing cloud applications is a challenging and difficult business, with small tiny mistakes potentially causing big problems. Sometimes, even Microsoft doesn’t get it quite right. Hopefully the worst impact here will turn out to have been knocking Dune out of the top soundtrack spot for the Hackers OST…even if the latter is the far superior album. Hack the planet indeed.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.