Due to a flaw in Microsoft’s application configuration, anyone could access and modify Bing’s search results. “Could”, as the problem was discovered on January 31, 2023, but was fixed by the company on March 28. One of the proofs of the defect was the change in the list of “Best soundtracks”, which changed the film Dune per Hackers: Computer Hackers.
The discovery was made by the team of analysts from Wiz Research, a group of professionals that aims to detect threats to the cloud and build mechanisms to protect it. They realized that when building an app on Azure App Services and Azure Functions, the software could be misconfigured to allow users access to the app.
Next, analysts discovered a program called “Bing Trivia” that was misconfigured and allowed anyone to log in and access the app’s Content Management System. However, it didn’t take long for the team to notice that Bing.com was directly linked to the app. That is, it was possible to enter the Microsoft search engine and modify it.
As a test, they successfully tried to change the search result on “Best Soundtracks”. The professionals changed the first title to appear on the list, from its name to its representation image. The team at Wiz Research even managed to add a link and generic text.
XSS attack on Bing was also possible
Analysts decided to try injecting a payload through the same loophole they found in the “Bing Trivia” app. They soon realized that they managed to execute an XSS (Cross-Site Scripting) attack, which would place malicious code on Bing.com, turning it into a trap for users.
Testing by the Wiz Research team proved that it was possible to compromise the security of Microsoft 365 as soon as a user saw the carousel on the search results page. This would give cybercriminals full access to personal information such as email, Teams messages, and OneDrive files.
Once they were certain of their findings, the professionals shared the data with Microsoft.
Redmond’s company claimed that the flaw only affected a small portion of internal apps, but that fixes were immediately implemented. It also reported that it has introduced security improvements to prevent configuration errors in Microsoft Azure from becoming issues in the future.
Finally, the company said announcement released on Wednesday (29), that “this type of functionality has been disabled in 99% of applications for consumers”.
With information: Bleeping Computer.
