Misconfigured Microsoft App Causes Hijacking of Bing Search Results

Cybersecurity firm Wiz has reported an Azure Active Directory (AAD) misconfiguration, which left applications vulnerable to unauthorized access and could have resulted in the hijacking of Bing.com.

The cloud-based Identity and Access Management (IAM) service of Microsoft, known as AAD, is commonly utilized as the authentication method for Azure App Services and Azure Functions Applications.

Wiz Research, the cybersecurity firm, identified the security flaw and dubbed the exploit “BingBang.” Developers can use the ‘Support account types’ configuration setting to determine which account types should be permitted to access the application, including multi-tenants, personal accounts, or a combination of both.

The availability of this configuration option is intended for legitimate scenarios where developers need to enable their applications to be accessed across different organizations.

Accidentally granting excessive permissions by a developer could lead to unauthorized access to the application and its functionalities.

Wiz analysts discovered a misconfigured “Bing Trivia” app that allowed unrestricted access to its CMS, which was linked directly to Bing.com. They successfully modified search results and conducted a cross-site scripting attack, which led to the compromise of Office 365 tokens for Bing users.

Wiz reported the issue to Microsoft and worked together to assess the impact of the attack, which gave access to sensitive data such as SharePoint documents, Outlook emails, messages on Teams, Calendar Data, and OneDrive files.

Of particular significance, Microsoft has implemented a measure to cease the issuance of access tokens to clients that are not registered in the resource tenants, thereby restricting access solely to appropriately registered clients.

According to Microsoft’s advisory, “over 99% of customer applications” have had this feature disabled. Microsoft has supplied guidance to Global Admins (via the Azure Portal and email) and the Microsoft 365 Message Center on how to proceed with the remaining multi-tenant resource applications that depend on client access without a service principal.

Further security checks have been implemented for multi-tenant applications, including validation of the tenant ID against a specified allow-list and verification of the client registration (Service Principal).