Microsoft fixes 'BingBang' vulnerability allowing Bing search content manipulation, Office 365 data theft
2 min. read
Published on
Share this article
Improve this guide
Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more
I hacked into a @Bing CMS that allowed me to alter search results and take over millions of @Office365 accounts.
How did I do it? Well, it all started with a simple click in @Azure… ?
This is the story of #BingBang ??? pic.twitter.com/9pydWvHhJs— Hillai Ben-Sasson (@hillai) March 29, 2023
Security experts at Wiz Research discovered an issue in Azure Active Directory (AAD) that soon allowed them to manipulate the content on Bing.com using a misconfigured “Bing Trivia” app and perform a Cross-Site Scripting (XSS) attack. Fortunately, the problem named “BingBang,” which could have allowed hackers to access millions of people’s Microsoft 365 account data, was fixed immediately by Microsoft after Wiz reported the discovery.
The issue was opened by Wiz to Microsoft last January 31 and was fixed by Microsoft on February 2, days before the software giant officially announced the new Bing. According to the report from Wiz, the issue could have been exploited for years. However, it added that there are no indications hackers used it.
With this token, an attacker could fetch:
Outlook emails ??
Calendars ?
Teams messages ?
SharePoint documents ?
OneDrive files ?
And more, from any Bing user!Here you can see my personal inbox being read on our “attacker machine”, using the exfiltrated Bing token: pic.twitter.com/f6aHiXYWvD
— Hillai Ben-Sasson (@hillai) March 29, 2023
In the report, the researchers detailed how they were able to perform the so-called “BingBang” attack by first using the misconfigured Microsoft application to modify a specific Bing.com search result content. According to the group, this mistake originated from the “risky configuration” in AAD.
“This Shared Responsibility architecture is not always clear to developers, and as a result, validation and configuration mistakes are quite prevalent,” Wiz wrote in the blog post, adding approximately 25% of the multi-tenant apps the group scanned were vulnerable to the BingBang.
After this, Wiz tried to add a harmless XSS payload to Bing.com, which was successful. The group said if left unaddressed, this problem could have affected millions of people worldwide.
“A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leaked the sensitive data of millions of users,” the report added. “According to SimilarWeb, Bing is the 27th most visited website in the world, with over a billion pageviews per month – in other words, millions of users could’ve been exposed to malicious search results and Office 365 data theft.”
Meanwhile, Microsoft released an advisory detailing its actions to resolve the issue. According to the software company, it only “impacted a small number of our internal applications.” Nonetheless, it assured that the misconfiguration had been corrected immediately and that it “made additional changes to reduce the risk of future misconfigurations.”
