A misconfigured Microsoft application allowed anyone to log in and modify Bing.com search results in real-time, as well as inject XSS attacks to potentially breach the accounts of Office 365 users. The security issue was discovered by Wiz Research, who named the attack “BingBang.” Wiz’s analysts reported the issue to Microsoft on January 31, 2023, and the tech giant confirmed that it was fixed on March 28, 2023.
Wiz researchers found that when creating an application in Azure App Services and Azure Functions, the app can be mistakenly configured to allow users from any Microsoft tenant, including public users, to log in to the application.
This configuration setting is called ‘Support account types’ and lets developers specify if a specific tenant multi-tenant, personal accounts, or a mix of multi and personal accounts should be allowed to access the application. However, if a developer mistakenly assigns looser permissions, it could cause unwanted access to the application and its features.
Wiz’s analysts found a misconfigured “Bing Trivia” app that allowed anyone to log in to the application and access its CMS (Content Management System).
However, they soon discovered that the application was directly linked to Bing.com, allowing them to modify the live content shown in Bing search results.
To verify they had complete control, the researchers attempted and succeeded in modifying search results for the “best soundtracks” search term, adding arbitrary results to the top carousel. Next, the analysts checked if they could inject a payload into the Bing search results using this same CMS and found they could execute a cross-site scripting (XSS) attack on Bing.com.
After confirming that the XSS was possible, Wiz reported its findings to Microsoft and worked with the software company to determine the exact impact of this second attack.
A test XSS showed that it was possible to compromise the Office 365 token of any Bing user that saw the carousel in the search results, giving them full access to the searchers’ accounts. This includes access to Outlook emails, calendar data, messages on Teams, SharePoint documents, and OneDrive files.
Microsoft downplayed the issue, saying that the misconfiguration that allowed external parties read and write access impacted only a small number of internal applications and was corrected immediately.
