What you need to know
- Wiz Research discovered an issue within Microsoft Azure that left Bing and millions of Microsoft accounts vulnerable.
- White hat hackers were able to change Bing search results and prove that it was possible to share an attack through the search engine.
- The vulnerability was reported to Microsoft and fixed within one week of the new Bing powered by ChatGPT launching in preview.
Earlier this year, a vulnerability was discovered that put millions of Microsoft 365 accounts at risk. Security researchers at Wiz found a flaw in Azure that could be exploited to access Bing's CMS and gather private information from Microsoft apps, such as Teams, Outlook, and the Office suite.
Hillai Ben-Sasson, a cloud security researcher at Wiz, broke down how they were able to alter Bing search results and "take over millions of Office 365 accounts."
Below is the first tweet of an extensive thread about the exploit:
I hacked into a @Bing CMS that allowed me to alter search results and take over millions of @Office365 accounts.How did I do it? Well, it all started with a simple click in @Azure… 👀This is the story of #BingBang 🧵⬇️ pic.twitter.com/9pydWvHhJsMarch 29, 2023
Wiz also has a blog post about the vulnerability, as well as a video.
Wiz discovered an attack vector in Azure Active Directory that if exploited would grant unauthorized access to misconfigured applications. Roughly 25% of multi-tenant applications were vulnerable, according to Wiz. The research firm highlighted that misconfigurations are common.
Several applications were at risk due to the vulnerability. Wiz was able to modify Bing search results and launch high-impact XSS attacks on users of Bing. If attacks such as those were successful, a threat actor could gain access to Outlook emails and SharePoint documents. OneDrive files, Outlook calendars, and Teams messages were also at risk of being exposed.
“A potential attacker could have influenced Bing search results and compromised Microsoft 365 emails and data of millions of people,” said Ami Luttwak, Wiz’s chief technology officer, to The Wall Street Journal. “It could have been a nation-state trying to influence public opinion or a financially motivated hacker.”
Wiz alerted Microsoft of the Bing vulnerability and the tech giant fixed it quickly. The research firm made Microsoft aware of other vulnerable applications on February 25, 2023. On March 20, 2023, Microsoft confirmed to Wiz that all of the related issues had been fixed.
In a way, the timing of the exploit being reported and fixed was a blessing for Microsoft. The vulnerability was reported on January 31, 2023 and fixed two days later on February 2, 2023. Microsoft announced the new Bing on February 7, 2023. If the vulnerability was left unpatched when the new search engine launched in preview, the number of potential victims would have been much higher.
Bing Chat helped the use of Microsoft's search engine to over 100 million daily active users.
While the reported vulnerability could have been exploited for years, according to Wiz, the company clarified that there was no evidence that it had been exploited.