Microsoft has patched a misconfiguration issue affecting Azure Active Directory (AAD) identity and access management services that exposed several โhigh impactโ applications to unauthorized access.
โOne of these apps is the content management system (CMS) that powers Bing.com, allowing it to not only alter search results, but launch high-impact XSS attacks against Bing users. We did,โ said Wiz, a cloud security firm. Said in the report. “These attacks could compromise a user’s personal data, such as his Outlook emails and his SharePoint documents.”
This issue was reported to Microsoft in January and February 2022, after which Microsoft applied a fix and awarded Wiz a $40,000 bug bounty.redmond Said We found no evidence that the misconfiguration was actually exploited.
The core of this vulnerability stems from something called “shared responsibility confusion”. This is where Azure apps can be misconfigured to allow users from Microsoft tenants, leading to potential cases of unintended access.
Interestingly, many Microsoft’s own internal apps were found to exhibit this behavior, allowing external parties to obtain read and write access to the affected applications.
This includes the Bing Trivia app, which the cybersecurity firm used to alter Bing search results and manipulate homepage content as part of an attack chain called BingBang.
Worse, the exploit could be weaponized to trigger a cross-site scripting (XSS) attack against Bing.com and extract the victim’s Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. .
“Malicious attackers with the same access could have hijacked the most popular search results with the same payload, exfiltrating sensitive data from millions of users,” Wiz researchers said. One Hillai Ben-Sasson said:
Other apps found to be susceptible to misconfiguration issues include Mag News, Central Notification Service (CNS), Contact Center, PoliCheck, Power Automate blog, COSMOS, and others.
Become an Incident Response Pro!
Unlocking the Secrets of Bulletproof Incident Response โ Master the 6-step process with Asaf Perlman, IR Lead at Cynet!
Developed as an enterprise penetration testing company, NetSPI. clearly cross-tenant vulnerability details Power Platform Connector It can be abused to access sensitive data.
Following a responsible disclosure in September 2022, the deserialization vulnerability was resolved by Microsoft in December 2022.
This investigation also follows the release of a patch to remediate Super FabriXss (CVE-2023-23383, CVSS score: 8.2). This is an XSS vulnerability reflected in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.
