Microsoft has fixed a problem with the way Azure Active Directory (AAD) manages identity and access which left various important applications open to unauthorized access due to a mistake in the configuration.
.com emails, Microsoft Office docs, and other sensitive information. The CMS bug was discovered by Wiz researchers as part of an ongoing project called "Supernova" that focuses on cloud security testing. In a report by cloud security firm Wiz, it was stated that they had found a content management system (CMS) within an app that not only operated Bing.com but also permitted the alteration of search results and possible XSS attacks on Bing users. These attacks had the potential to jeopardize users' personal data such as Outlook.com emails, Microsoft Office documents, and other protected materials. Identified as part of their "Supernova" initiative that aims to test cloud security measures, Wiz's researchers discovered this CMS flaw. Electronic messages and files stored in SharePoint.
Microsoft was made aware of some problems in January and February of 2022. They responded by making corrections and giving Wiz $40000 as a reward for discovering the mistakes. Microsoft also stated that there was no indication that any outside parties had taken advantage of the misconfigurations.
The main issue with the vulnerability is related to a misunderstanding of Shared Responsibility, which can result in an inappropriate configuration of an Azure app. This could potentially allow users from any Microsoft tenant to gain access without it being intended.
It is noteworthy that several of Microsoft's internal applications were discovered to have this characteristic, which allows external entities to gain access to and manipulate the affected applications.
Bing Trivia app was utilized by the cybersecurity company to modify Bing search results and manipulate content on the homepage in a series of attacks known as BingBang.
The situation becomes more troublesome as the exploit has the potential to be used as a weapon in order to launch a cross-site scripting (XSS) attack on Bing.com. This attack could allow access to personal emails, calendars, messages from Teams, documents from SharePoint, and files on OneDrive belonging to the victim.
Wiz researcher, Hillai Ben-Sasson, pointed out that if an individual with malicious intent had the same level of access, they could have potentially taken control of the most widely used search results using the same techniques and exposed confidential information from millions of users.
Several other applications have been identified as vulnerable to the same misconfiguration issue, including Mag News, Central Notification Service (CNS), Contact Center PoliCheck, Power Automate Blog, and COSMOS.
The enterprise penetration testing company NetSPI recently disclosed information about a cross-tenant vulnerability present in Power Platform connectors that could potentially give an attacker unauthorized access to valuable data.
After the responsible disclosure in September 2022, Microsoft resolved the deserialization vulnerability by December 2022.
The study is in response to the release of updates that aim to fix a security weakness called Super FabriXss (CVE-2023-23383 CVSS score: 8.2), which is a type of reflected XSS vulnerability found in Azure Service Fabric Explorer (SFX) that could result in unauthenticated remote code execution.