Microsoft's Bing search engine had a serious flaw discovered in it earlier this year. This bug allows for the manipulation of search results and the access of sensitive information from other Bing users' accounts in services like Teams, Outlook, and Office 365.
In January, Wiz security researchers found a misconfiguration in Microsoft's cloud computing platform Azure, which affected Bing and gave any Azure user unauthorized access to apps.
Misconfiguration in Azure
The Verge reported that the flaw was found in Microsoft's Azure Active Directory (AAD), an identity and access management platform. Because of the platform's multi-tenant rights, developers must verify which Azure users are authorized to access their applications.
Misconfigurations are widespread because of the ambiguity around this role. According to Wiz, 25% of all multi-tenant programs it analyzed lacked sufficient validation.
Bing Trivia was one such app. Researchers were able to access a content management system (CMS) that gave them direct control over Bing.com's real-time search results after logging in to the app using their own Azure credentials.
In particular, Wiz points out that anybody who accessed the Bing Trivia app page may have modified Bing's search results to spread false information or phishing links.
Exposure to the Bug
The Outlook inboxes, calendars, Teams chats, SharePoint files, and OneDrive folders of other Office 365 users were all identified as being exposed to the bug after a search in Bing's Work area. Wiz proved that it exploited the flaw by accessing a dummy victim's mailbox and reading emails.
Many cloud-hosted Microsoft services, including Mag News, Contact Center, PoliCheck, Power Automate Blog, and Cosmos, were discovered to be susceptible due to a misconfiguration that allowed for attacks.
Wiz chief technology officer Ami Luttwak told The Wall Street Journal that an attacker may have impacted Bing search results and compromised millions of consumers' Microsoft 365 emails and data. It is possible that a government was seeking to sway public opinion or that a hacker was motivated by financial gain.
Timeline in Brief
On Jan. 31, it was brought to the attention of the Microsoft Security Response Center that Bing had a bug. According to Luttwak, Microsoft released a remedy for the issue on Feb. 2.
Later, on Feb. 25, Wiz reported the remaining vulnerable programs. On Mar. 20, Microsoft certified that all reported concerns had been resolved. Microsoft said that more adjustments were made to lessen the possibility of future misconfigurations.
Since introducing its artificial intelligence (AI)-powered Bing Chat feature on Feb. 7, Bing has seen a dramatic rise in popularity, with the number of its daily active users recently crossing the 100 million mark.
In a report by Similarweb, Bing is the 30th most visited website in the world. Had the flaw not been corrected a few days before, it may have spread the hazardous, easily accessible security exploit to millions of people.