An exploit was discovered in Bing that allowed manipulating Bing search results and gaining access to Outlook accounts
Earlier this year, a vulnerability was discovered in Microsoft Bing that allowed attackers to modify search results and access personal information of Bing users in services such as Teams, Outlook, and Office 365. Back in January, Wiz security experts discovered a vulnerability in the configuration of Azure, the cloud computing platform that actually compromised Bing.
Here's What We Know
The vulnerability was discovered in the Azure Active Directory service. Applications that use the platform's multi-user permissions are available to any Azure user, so developers should check which users have access to their applications. However, this check is usually not performed, which creates potential loopholes for hackers. According to a Wiz study, about 25% of users have problems with this.
One of such applications is Bing Trivia. The researchers were able to log into the app using their own Azure accounts, where they discovered a content management system (CMS) that allowed them to control live search results on Bing.com. Wiz emphasises that anyone who accessed the Bing Trivia app page could potentially manipulate Bing search results to launch disinformation or phishing campaigns.
Wiz recommends that organisations with Azure Active Directory apps check their app logs for any suspicious logins that could indicate a security breach.
Source: The Verge