Using manipulated search results in Microsoft’s Bing search engine, a security researcher managed to place his own results at the top of the list and add malicious code to them. It could then have stolen access cookies from registered Office365 clients, for example.
Microsoft offers Azure Active Directory as a cloud service to customers, but also uses the system for internal identity management services. The researcher gained access to Bing’s internal management tools with his Azure AD user through misconfiguration, and then was pretty much able to switch and manage there.
Azure AD is misconfigured
Azure Active Directory is actually supposed to make the world safer: authenticating users with effortless programming and single sign-on are the lures Microsoft uses to bring administrators and developers into its cloud. In addition, AAD allows any user to authenticate outside their own organization, which has many advantages for public web application operators. However, if cloud administrators activate this “multi-tenancy”, it could open the door to attackers.
Microsoft has now fallen into this same trap. In January this year, security firm Wiz found a subdomain called “bingtrivia.azurewebsites.net” while scanning for vulnerable Azure applications, which raised its suspicions. Security researchers successfully logged into AD with their access credentials immediately and were granted access to an internal Microsoft content management system. This system allowed sweeping changes to be published directly on bing.com and in search results. In this way, Wiz staff can not only change the background image of the Bing start page, but also change the search results.
Given the scope of their detection—after all, Bing records more than 1 billion page views per month—the finders reported it to the Microsoft Security Response Center (MSRC), which installed a hotfix the same day. The security researchers received a $40,000 reward According to his words You will donate.
Protect your Azure AD
If you are using Azure AD yourself, you must use an extension Detailed blog article of explorers reading, where they also go into how to secure their own environment. as part of Heise Security Tour 2023 Heise Security also offers an all-day workshop on “Attacks on Azure and Azure Active Directory and its protection”.
“Subtly charming coffee scholar. General zombie junkie. Introvert. Alcohol nerd. Travel lover. Twitter specialist. Freelance student.”
Hi Netzwelt: Dealing with grief for broken football fans
Messenger crashes with a specific message
Microsoft is bringing Cortana out of Windows — the AI Copilot tool is taking over