Apr 01, 2023Ravie Lakshmanan
Microsoft has patched a misconfiguration issue impacting the
Azure Active Directory (AAD[1]) identity and access
management service that exposed several “high-impact” applications
to unauthorized access.
“One of these apps is a content management system (CMS) that
powers Bing.com and allowed us to not only modify search results,
but also launch high-impact XSS attacks on Bing users,” cloud
security firm Wiz said[2]
in a report. “Those attacks could compromise users’ personal data,
including Outlook emails and SharePoint documents.”
The issues were reported to Microsoft in January and February
2022, following which the tech giant applied fixes and awarded Wiz
a $40,000 bug bounty. Redmond said[3]
it found no evidence that the misconfigurations were exploited in
the wild.
The crux of the vulnerability stems from what’s called “Shared
Responsibility confusion,” wherein an Azure app can be incorrectly
configured to allow users from any Microsoft tenant, leading to a
potential case of unintended access.
Interestingly, a number of Microsoft’s own internal apps were
found to exhibit this behavior, thereby permitting external parties
to obtain read and write to the affected applications.
This includes the Bing Trivia app, which the cybersecurity firm
exploited to alter search results in Bing and even manipulate
content on the homepage as part of an attack chain dubbed
BingBang.
To make matters worse, the exploit could be weaponized to
trigger a cross-site scripting (XSS) attack on Bing.com and extract
a victim’s Outlook emails, calendars, Teams messages, SharePoint
documents, and OneDrive files.
“A malicious actor with the same access could’ve hijacked the
most popular search results with the same payload and leak
sensitive data from millions of users,” Wiz researcher Hillai
Ben-Sasson noted.
Other apps that were found susceptible to the misconfiguration
issue include Mag News, Central Notification Service (CNS), Contact
Center, PoliCheck, Power Automate Blog, and COSMOS.
THN WEBINAR
Become an Incident Response Pro!
Unlock the secrets to bulletproof incident response – Master the
6-Phase process with Asaf Perlman, Cynet’s IR Leader!
Don’t Miss Out –
Save Your Seat![4]
The development comes as enterprise penetration testing firm
NetSPI revealed[5]
details of a cross-tenant vulnerability in Power Platform connectors[6] that could be abused to
gain access to sensitive data.
Following responsible disclosure in September 2022, the
deserialization vulnerability was resolved by Microsoft in December
2022.
The research also follows the release of patches to remediate
Super FabriXss[7]
(CVE-2023-23383, CVSS score: 8.2), a reflected XSS vulnerability in
Azure Service Fabric Explorer (SFX) that could lead to
unauthenticated remote code execution.
Found this article interesting? Follow us on Twitter [8]
and LinkedIn[9]
to read more exclusive content we post.
References
Read more https://thehackernews.com/2023/04/microsoft-fixes-new-azure-ad.html
Latest News
- VIDEO.I.NG = 2 Live Crew – Banned In The U.S.A .This song, suddenly feeling very relevant. October 27, 2025
- America: Country in the Mirror – Talking About The Americans in the Mirror . We are what we eat indeed and Certainly What or Who we VOTE For ! October 27, 2025
- Michael Jackson, Olodum and the Yoruba Connection ! October 27, 2025
