The Azure vulnerability allowed data to be stolen from millions of Office365 customers

Using manipulated search results in Microsoft’s Bing search engine, a security researcher managed to place his own results at the top of the list and add malicious code to them. It could then have stolen access cookies from registered Office365 clients, for example.

Microsoft offers Azure Active Directory as a cloud service to customers, but also uses the system for internal identity management services. The researcher gained access to Bing’s internal management tools with his Azure AD user through misconfiguration, and then was pretty much able to switch and manage there.

Azure AD is misconfigured

Azure Active Directory is actually supposed to make the world safer: authenticating users with effortless programming and single sign-on are the lures Microsoft uses to bring administrators and developers into its cloud. In addition, AAD allows any user to authenticate outside their own organization, which has many advantages for public web application operators. However, if cloud administrators activate this “multi-tenancy”, it could open the door to attackers.

Microsoft has now fallen into this same trap. In January this year, security firm Wiz found a subdomain called “bingtrivia.azurewebsites.net” while scanning for vulnerable Azure applications, which raised its suspicions. Security researchers successfully logged into AD with their access credentials immediately and were granted access to an internal Microsoft content management system. This system allowed sweeping changes to be published directly on bing.com and in search results. In this way, Wiz staff can not only change the background image of the Bing start page, but also change the search results.

This vulnerability made it possible to inject its own JavaScript code into the popular search engine, which was then executed in the user’s browser with its privileges. Then Hilay Ben-Sasson and his team gained access to the access tokens from the web-based Office suite via the Office365 API and were able to massively steal emails, calendar entries, team messages and documents from Sharepoint and OneDrive.

Given the scope of their detection—after all, Bing records more than 1 billion page views per month—the finders reported it to the Microsoft Security Response Center (MSRC), which installed a hotfix the same day. The security researchers received a $40,000 reward According to his words You will donate.

Protect your Azure AD

If you are using Azure AD yourself, you must use an extension Detailed blog article of explorers reading, where they also go into how to secure their own environment. as part of Heise Security Tour 2023 Heise Security also offers an all-day workshop on “Attacks on Azure and Azure Active Directory and its protection”.

(Yes)