Microsoft has patched a misconfiguration issue affecting the Azure Active Directory (AAD) identity and access management service. This exposed several “high impact” applications to unauthorized access.
“One of these apps is the content management system (CMS) that powers Bing.com, allowing it to not only alter search results, but launch high-impact XSS attacks against Bing users. ,” said Wiz, a cloud security firm, in a report. “These attacks could compromise a user’s personal data, such as his Outlook emails and his SharePoint documents.”
This issue was reported to Microsoft in January and February 2022, after which Microsoft applied a fix and awarded Wiz a $40,000 bug bounty. Redmond said he found no evidence that the misconfiguration was actually exploited.
The core of this vulnerability stems from something called “shared responsibility confusion”. This is where Azure apps can be misconfigured to allow users from Microsoft tenants, leading to potential cases of unintended access.
Interestingly, many Microsoft’s own internal apps were found to exhibit this behavior, allowing external parties to obtain read and write access to the affected applications.
This includes the Bing Trivia app, which the cybersecurity firm used to alter Bing search results and manipulate homepage content as part of an attack chain called BingBang.
Worse, the exploit could be weaponized to trigger a cross-site scripting (XSS) attack against Bing.com and extract the victim’s Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. .
“Malicious attackers with the same access could have hijacked the most popular search results with the same payload, exfiltrating sensitive data from millions of users,” Wiz researchers said. One Hillai Ben-Sasson said:
Other apps found to be susceptible to misconfiguration issues include Mag News, Central Notification Service (CNS), Contact Center, PoliCheck, Power Automate blog, COSMOS, and others.
Become an Incident Response Pro!
Unlocking the Secrets of Bulletproof Incident Response – Master the 6-step process with Asaf Perlman, IR Lead at Cynet!
Don’t miss it – secure your seat!
The development began when an enterprise penetration testing firm, NetSPI, uncovered details of a cross-tenant vulnerability in the Power Platform connector that could be exploited to gain access to sensitive data. rice field.
Following a responsible disclosure in September 2022, the deserialization vulnerability was resolved by Microsoft in December 2022.
This investigation also follows the release of a patch to remediate Super FabriXss (CVE-2023-23383, CVSS score: 8.2). This is an XSS vulnerability reflected in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.
