Though there does not appear to be an incident of exploitation by a threat actor, a Microsoft vulnerability discovered by a security researcher allowed anyone with an Azure account to log into an attached service and directly manipulate Bing search results.
The hack also provided the ability to steal Office 365 credentials by passing malware to logged-in users that visited Bing. It seems a small miracle that this exploit was not noticed or used by attackers prior to being patched, as it could have led to the widespread compromise of users of the increasingly popular Microsoft search engine.
No known “in the wild” compromise of Microsoft Azure vulnerability, but opportunity was there
Security researchers with Wiz say that they privately reported the Bing search results vulnerability to Microsoft at the end of January, and that appropriate patches and changes had been made by late March. The full breach window remains unknown, however, and there are concerning questions about who else might have come across the issue given how easy it is to exploit.
Called “BingBang,” the vulnerability simply allowed anyone at all with an Azure login to access a particular Microsoft service that provided full access to the Bing front page. This is not just a Microsoft issue, but potentially impacts any developer that has enabled multi-tenant logins in Azure Active Directory. In fact, a scan by Wiz found that about 25% of multi-tenant setups were vulnerable prior to Microsoft’s updates.
Developers sometimes activate multi-tenant by mistake, or do it intentionally but fail to set up a system to validate individual users. The feature does not have great documentation, demonstrated by the fact that Microsoft’s own Bing Trivia was vulnerable in this way. Logging in to this, with any Azure credentials, immediately gave the user the power to change the priority rankings of Bing search results via a content management system.
Attackers would have been able to change the top Bing search results (featured at the beginning of the page) to whatever they like for any particular keyword or phrase that users might search. This could have been used to unwittingly redirect searchers to attack sites, but the vulnerability was even more extensive than this.
More than just Bing search results: Office 365 accounts open to hijacking
An attacker could have done more than just alter Bing search results to try to trick people into visiting a link that drops malware. The access to the Bing homepage also included the ability to add cross-site scripting payloads to it that would automatically capture the credentials of Office 365 users that were logged in while using the search engine.
Microsoft has since fixed the Bing Trivia vulnerability, and has also made some changes to help developers avoid falling in the same trap. Azure access tokens are no longer automatically made available to clients that are not registered, and the App Service Authentication feature now has added layers of checks.