This detailed article describes a new attack vector in Azure Active Directory (AAD) discovered by Wiz Research. This misconfiguration exposes misconfigured applications to unauthorized access, with 25% of multi-tenant applications being found to be vulnerable. Several high-impact, vulnerable Microsoft applications were found, including a content management system (CMS) that powers Bing.com. This vulnerability allowed unauthorized modifications to search results and launched high-impact cross-site scripting (XSS) attacks on Bing users, potentially compromising users’ personal data, including Outlook emails and SharePoint documents. The Microsoft Security Response Center (MSRC) fixed the vulnerable applications and updated customer guidance, as well as patched some AAD functionality to reduce customer exposure.
The article highlights that the complexity of cloud-based identity providers and Azure Active Directory facilitates misconfigurations, which can be leveraged by threat actors to compromise organizations’ production environments. AAD provides different types of account access, and the article explains that shared responsibility confusion is prevalent with Azure App Services and Azure Functions. The responsibility to validate the end-users’ tokens is unclear, and as a result, configuration and validation mistakes are common.
The article includes a case study called “BingBang”, which illustrates how Microsoft itself fell victim to misconfiguration pitfalls and exposed one of its most critical apps to any individual on the internet. The case study shows how the Bing Trivia application exposed Microsoft to authentication bypass. By logging in with a new user called “Wiz Research” to the Bing Trivia app, the Wiz Research team was able to view the admin panel and examine the Bing Trivia home page. By selecting a carousel in the CMS and altering its content, the team was able to modify Bing’s search results, potentially compromising users’ personal data, including Outlook emails and SharePoint documents.
The article ends by recommending that organizations check whether their environment has been affected by this misconfiguration, and provides a link to the “Customer Remediation Guidelines” section of MSRC’s blog. Organizations are advised to inspect the tokens within their code and decide which user should be allowed to log in to avoid these misconfigurations.
Here is the original article: https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration,
Here is the Hillai’s thread https://twitter.com/hillai/status/1641146508639600646?s=61&t=W3xG2ZOWMR1SBkWjVXwyaw