A stitch in time saves nine, they say – and that proved to be the case for Microsoft, which had to scramble to patch a flaw that could have put millions of Bing search engine users in jeopardy if left unchecked.
Wiz Research team takes the credit for spotting the flaw, which allowed its penetration testers to modify results accessed using the popular Microsoft search engine. What that means in layman’s terms is that valuable personal information of users could have been stolen by threat actors and used to access their private emails and documents.
It should be stressed that the Wiz team acted in good faith, tipping off Microsoft to the problem and allowing the tech giant to patch the previously undetected vulnerability.
So that made it another close call for Microsoft – but things could have turned out very differently.
Unskilled crooks would have loved this flaw
Wiz spotted the potential attack vector in the Azure Active Directory (AAD), which had a common system misconfiguration that exposed Microsoft apps to unauthorized access – one of them being the content management system (CMS) that powered Bing.com.
“This allowed them to take over Bing.com functionality, modify search results, and potentially enable the Office 365 credential theft of millions of Bing users,” said Wiz, describing its researchers’ white-hat operation. “These credentials in turn granted access to users’ private emails and documents.”
AAD is a cloud-based identity and access management service and described by Wiz as “the most common authentication mechanism for apps created in Azure App Services or Azure Functions.”
"The exploitation of the vulnerability was simple and didn't require a single line of code."Wiz Research
To underscore the potentially catastrophic nature of this security oversight, Wiz Research named the penetration campaign #BingBang.
“The exploitation of the vulnerability was simple and didn't require a single line of code,” it said.
What that means is a low-skilled cybercriminal could have used the flaw to wreak havoc among Microsoft’s army of customers.
“All issues were responsibly disclosed to Microsoft upon discovery,” said Wiz Research. “Microsoft rapidly fixed its vulnerable applications and modified some AAD functionality to reduce customer exposure.”
High jinks on the worldwide web
The bug could also have been used to facilitate mere mischief too. The Wiz investigators were able to modify search engine results obtained using Bing – for instance, when asked to return the most popular movie soundtrack of 2021, the Microsoft engine placed Dune at the top of the list. Wiz researchers were able to tweak that and replace it with Hackers, the score of the 1995 film of the same name.
“This proved that they could control arbitrary search results on Bing.com,” said Wiz. “A malicious actor landing on the Bing Trivia app page could therefore have tampered with any search term and launched misinformation campaigns, as well as phished and impersonated other websites.”
"A malicious actor landing on the Bing Trivia app page could have tampered with an search term"Wiz Research
But from online high jinks things quickly got serious again – the Wiz researchers realized they could use similar techniques to launch cross-site scripting (XSS) attacks, which occur when malicious scripts are injected into otherwise benign websites.
“XSS attacks occur when an attacker uses a web application to send malicious code to an end user through the website,” said Wiz. “The researchers added a harmless XSS payload to Bing.com and saw that it ran as expected, so they quickly reverted their changes and immediately reported their findings to Microsoft.”
Millions were at risk
But if they had had darker intentions, the Wiz investigators could have used the XSS payload to compromise Office 365 tokens “of any Bing user.”
“Bing and Office 365 are integrated,” said Wiz, adding that the former has an inbuilt function that allows users to search their Office 365 data.
“To implement this functionality, Bing communicates with Office 365 on the logged-in user's behalf,” it said. “Using this same feature, the researchers crafted an XSS payload that stole Office 365 access tokens from users.”
A stolen token would allow a potential attacker to access Bing users’ Office 365 data, including Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files.
Once again, Wiz stresses that it only conducted this experiment on a team member’s account: no random users were targeted.
“A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leaked the sensitive data of millions of users,” said Wiz.
The security researcher cited SimilarWeb, which rates Bing as “the 27th most visited website in the world, with over a billion page views per month” – meaning millions of users might have been exposed to malware and Office 365 data theft.
More from Cybernews:
Subscribe to our newsletter