Microsoft has fixed a misconfiguration problem affecting the Azure Active Directory (AAD) identity and access management service that allowed unauthorized access to a number of “high-impact” applications.
One of these apps is a content management system (CMS) that runs Bing.com and gave us access to high-impact XSS attacks against Bing users in addition to modifying search results, according to a report by cloud security company Wiz.
Such attacks may compromise user personal information, including emails sent through Outlook and documents stored in SharePoint.
After receiving reports of the problems in January and February 2022, Microsoft fixed them and gave Wiz a $40,000 bug bounty. Redmond claimed there was no proof that the incorrect configurations were used in the wild.
It’s interesting to note that a few of Microsoft’s own internal apps were discovered to display this behavior, allowing outside parties to access read and write access to the impacted apps.
This includes the Bing Trivia app, which the cybersecurity company exploited as part of an attack chain dubbed BingBang to change search results in Bing and even edit material on the homepage.
Even worse, the flaw might be used to retrieve a victim’s Outlook emails, calendars, Teams chats, SharePoint documents, and OneDrive files by starting an XSS attack against Bing.com.