Is Microsoft Bing safe? Someone just manipulated the search results
After spending years in relative obscurity, Microsoft's Bing is slowly gaining traction among users courtesy of its GPT-4-powered avatar. However, the search engine's rise to popularity could have been cut short by a vulnerability that was discovered by Wiz Research and Hillai Ben-Sasson. Microsoft later fixed it, but the bug had wide-ranging implications for Bing. Let's take a look at what happened.
Why does this story matter?
Any issues in cloud-based identity providers can be potentially leveraged by threat actors to disrupt a business. In Bing's case, its vulnerability stems from Azure Active Directory (AAD). If the bug had been first found by a threat actor, things would have turned out bad. Bing's dream of becoming a proper challenger to Google Search may not have happened either.
25% of multi-tenant apps were vulnerable
Wiz Research found configuration and validation mistakes in AAD. An option in 'App registration' can make an app multi-tenant, exposing the app to all users. This means any Azure user will be able to log into an application. Upon further research, Wiz Research found that 25% of all multi-tenant apps were vulnerable to this issue. A domain that caught their eye was bingtrivia.azurewebsites.net.
Wiz Research found key sections in Bing Trivia
Wiz Research could log into Bing Trivia, but it did not belong to the Microsoft tenant. Although it looked like an unremarkable CMS (content management system) at first, upon further analysis, Wiz Research found several sections related to core Bing content. One of the sections had some keywords and corresponding search results. This is where the story 'BingBang' began.
Researchers were able to manipulate Bing search results
Wiz Research was able to manipulate search results on Bing by altering the content in a carousel in the CMS. They changed the first item in the "best soundtracks" query from Dune to Hackers. Then, they checked for XSS (cross-site scripting) with a harmless payload. The payload was executed successfully. Bing's home page content was also vulnerable to being altered.
Office 365 users were also susceptible to attack
Wiz Research also found out that even Office 365 users were vulnerable. Bing is allowed to issue Office tokens for any logged-in user. The researchers generated an XSS payload via the endpoint used for Office 365 communications. They tested it on themselves and it worked. With the token, a threat actor can obtain the victim's Outlook emails, Teams messages, and OneDrive files, among others.
Wiz Research received $40,000 as bug bounty
Wiz Research informed Microsoft Security Response Center (MSRC) about its findings. Per Wiz Research, MSRC has fixed everything Wiz Research pointed out. They were awarded $40,000 by MSRC as a bug bounty.
