Microsoft has fixed a critical vulnerability in Bing that allowed users to change search results and access private information for other search engine users found in applications such as Teams, Outlook, and Office 365. .
Last January, Wiz researchers discovered an error in the Azure configuration that allowed Bing to be hacked, as well as allowing any user of Microsoft's cloud computing platform to access applications without permission .
Researchers found the vulnerability in the Azure Active Directory Identity and Access Management service. Any user of (Azure) can access applications that use what are known as the platform's multi-tenant permissions, which require developers to verify which users can access their applications.
Given that this liability isn't always clear, misconfiguration is common, with Waze even claiming that 25 percent of the multi-tenant applications it examined all lacked proper validation.
Bing Trivia is one such application, as the researchers were able to log into the application using their Azure accounts, where they discovered a CMS that allowed them to control search results directly on the Bing.com search engine.
Waze warns that anyone who accesses the Bing Trivia page may have manipulated Bing search results to launch misinformation or phishing campaigns.
An investigation into Bing's Work division also revealed that the exploit could be used to access other users' data in the Office 365 desktop application service, exposing emails, calendars, Teams messages, SharePoint documents, and OneDrive files. OneDrive in Outlook.
Waze demonstrated that it had successfully used the vulnerability to read emails from a hypothetical victim's inbox. Similar exploits with the misconfiguration were discovered in more than 1,000 apps and sites on Microsoft's cloud platform, including: Mag News, Contact Center, PoliCheck, Power Automate Blog, and Cosmos.
"It's possible that a potential attacker affected Bing search results and compromised the emails and Microsoft 365 data of millions of people," Ami Lutwak, Waze's chief technology officer, told The Wall Street Journal . "(The potential attacker) could be a nation-state that tried to influence public opinion, or a hacker with financial motives," he added.
According to Waze's chief technology officer, Microsoft's Security Response Center was informed of the Bing vulnerability on January 31, and the company fixed it on February 2.
Then (Waze) identified the other applications at risk on February 25, and said that Microsoft confirmed that all reported problems had been fixed on March 20. Microsoft also said it made additional changes to reduce the risk of misconfiguration in the future.
Recently, the (Bing) engine has witnessed a huge rise in popularity, so that it exceeded 100 million daily active users earlier this month after launching the chat feature based on artificial intelligence technology on February 7.
If the problem had not been fixed a few days before the feature was launched, the explosive growth of the search engine could have affected millions of users by the dangerous security vulnerability, especially since (Bing) is ranked as the thirtieth most visited site in the world, according to the company (Bing). Similarweb . _
In October of last year, a similar configuration error in Azure led to the BlueBleed data breach, which exposed the data of 150,000 companies in 123 countries.
Waze said there was no evidence that the vulnerability was exploited before it was patched. However, Azure Active Directory logs won't necessarily provide details regarding past activity, and Waze claims the issue could be exploitable for years.
Waze recommends that organizations with Azure Active Directory applications check their application logs for any suspicious logins that may indicate a security breach.