Microsoft fixes ‘BingBang’ vulnerability allowing Bing search content manipulation, Office 365 data theft

Security experts at Wiz Research discovered an issue in Azure Active Directory (AAD) that soon allowed them to manipulate the content on using a misconfigured “Bing Trivia” app and perform a Cross-Site Scripting (XSS) attack. Fortunately, the problem named “BingBang,” which could have allowed hackers to access millions of people’s Microsoft 365 account data, was fixed immediately by Microsoft after Wiz reported the discovery.

The issue was opened by Wiz to Microsoft last January 31 and was fixed by Microsoft on February 2, days before the software giant officially announced the new Bing. According to the report from Wiz, the issue could have been exploited for years. However, it added that there are no indications hackers used it.

In the report, the researchers detailed how they were able to perform the so-called “BingBang” attack by first using the misconfigured Microsoft application to modify a specific search result content. According to the group, this mistake originated from the “risky configuration” in AAD.

“This Shared Responsibility architecture is not always clear to developers, and as a result, validation and configuration mistakes are quite prevalent,” Wiz wrote in the blog post, adding approximately 25% of the multi-tenant apps the group scanned were vulnerable to the BingBang.

After this, Wiz tried to add a harmless XSS payload to, which was successful. The group said if left unaddressed, this problem could have affected millions of people worldwide.

“A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leaked the sensitive data of millions of users,” the report added. “According to SimilarWeb, Bing is the 27th most visited website in the world, with over a billion pageviews per month – in other words, millions of users could’ve been exposed to malicious search results and Office 365 data theft.”

Meanwhile, Microsoft released an advisory detailing its actions to resolve the issue. According to the software company, it only “impacted a small number of our internal applications.” Nonetheless, it assured that the misconfiguration had been corrected immediately and that it “made additional changes to reduce the risk of future misconfigurations.”

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}