An exploit was discovered in Bing that allowed manipulating Bing search results and gaining access to Outlook accounts

Earlier this year, a vulnerability was discovered in Microsoft Bing that allowed attackers to modify search results and access personal information of Bing users in services such as Teams, Outlook, and Office 365. Back in January, Wiz security experts discovered a vulnerability in the configuration of Azure, the cloud computing platform that actually compromised Bing.

Here's What We Know

The vulnerability was discovered in the Azure Active Directory service. Applications that use the platform's multi-user permissions are available to any Azure user, so developers should check which users have access to their applications. However, this check is usually not performed, which creates potential loopholes for hackers. According to a Wiz study, about 25% of users have problems with this.

I hacked into a @Bing CMS that allowed me to alter search results and take over millions of @Office365 accounts.
How did I do it? Well, it all started with a simple click in @Azure... ????
This is the story of #BingBang _COPY01⬇️ pic.twitter.com/9pydWvHhJs

- Hillai Ben-Sasson (@hillai) 29 March 2023

One of such applications is Bing Trivia. The researchers were able to log into the app using their own Azure accounts, where they discovered a content management system (CMS) that allowed them to control live search results on Bing.com. Wiz emphasises that anyone who accessed the Bing Trivia app page could potentially manipulate Bing search results to launch disinformation or phishing campaigns.

Wiz recommends that organisations with Azure Active Directory apps check their app logs for any suspicious logins that could indicate a security breach.

Source: The Verge