April 1, 2023Rabbi LakshmananAzure / Active Directory

Microsoft has patched a misconfiguration issue affecting Azure Active Directory (AAD) identity and access management services that exposed several “high impact” applications to unauthorized access.

“One of these apps is the content management system (CMS) that powers Bing.com, allowing it to not only alter search results, but launch high-impact XSS attacks against Bing users. We did,” said Wiz, a cloud security firm. Said in the report. “These attacks could compromise a user’s personal data, such as his Outlook emails and his SharePoint documents.”

This issue was reported to Microsoft in January and February 2022, after which Microsoft applied a fix and awarded Wiz a $40,000 bug bounty.redmond Said We found no evidence that the misconfiguration was actually exploited.

The core of this vulnerability stems from something called “shared responsibility confusion”. This is where Azure apps can be misconfigured to allow users from Microsoft tenants, leading to potential cases of unintended access.

Interestingly, many Microsoft’s own internal apps were found to exhibit this behavior, allowing external parties to obtain read and write access to the affected applications.

This includes the Bing Trivia app, which the cybersecurity firm used to alter Bing search results and manipulate homepage content as part of an attack chain called BingBang.

Azure AD vulnerabilities

Worse, the exploit could be weaponized to trigger a cross-site scripting (XSS) attack against Bing.com and extract the victim’s Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. .

Azure AD vulnerabilities

“Malicious attackers with the same access could have hijacked the most popular search results with the same payload, exfiltrating sensitive data from millions of users,” Wiz researchers said. One Hillai Ben-Sasson said:

Other apps found to be susceptible to misconfiguration issues include Mag News, Central Notification Service (CNS), Contact Center, PoliCheck, Power Automate blog, COSMOS, and others.

THN webinars

Become an Incident Response Pro!

Unlocking the Secrets of Bulletproof Incident Response – Master the 6-step process with Asaf Perlman, IR Lead at Cynet!

Don’t miss it – secure your seat!

Developed as an enterprise penetration testing company, NetSPI. clearly cross-tenant vulnerability details Power Platform Connector It can be abused to access sensitive data.

Following a responsible disclosure in September 2022, the deserialization vulnerability was resolved by Microsoft in December 2022.

This investigation also follows the release of a patch to remediate Super FabriXss (CVE-2023-23383, CVSS score: 8.2). This is an XSS vulnerability reflected in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.

Did you find this article interesting?Please follow us twitter and LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog