Earlier this year, Microsoft’s Bing search engine was found to have a dangerous vulnerability that allowed users to modify search results and access private information of other Bing users, including from Teams, Outlook, and Office 365. Security researchers from Wiz discovered a misconfiguration in Azure, Microsoft’s cloud computing platform, that led to this compromise.
The issue was found in the Azure Active Directory (AAD) identity and access management service, where applications utilizing multi-tenant permissions can be accessed by any Azure user. Due to unclear developer responsibilities, misconfigurations are prevalent, with 25% of all scanned multi-tenant apps lacking proper validation, as per Wiz’s claims.
During the investigation, it was discovered that Bing Trivia was one of the vulnerable apps, allowing researchers to access a content management system (CMS) and manipulate Bing’s search results. Wiz warns that this could have led to the spread of misinformation and phishing attacks by anyone who landed on the Bing Trivia app page. Further investigation into Bing’s Work section revealed that the exploit could also provide unauthorized access to other Office 365 data, such as Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files.
Wiz demonstrated this vulnerability by successfully reading emails from a simulated victim’s inbox. More than 1,000 apps and websites on Microsoft’s cloud had similar misconfiguration vulnerabilities, including Mag News, Contact Center, PoliCheck, Power Automate Blog, and Cosmos.
Recently, Bing’s popularity has been on the rise, reaching a milestone of 100 million daily active users this month after introducing the AI-powered Bing Chat feature on February 7th. However, if the vulnerability had not been fixed a few days prior, Bing’s rapid growth could have resulted in the widespread dissemination of the dangerous and easily accessible security exploit to millions of users. According to Similarweb, Bing is currently the 30th most visited website in the world.