Researchers uncovers critical vulnerabilities in Microsoft apps
Security researchers from cybersecurity firm Wiz have uncovered a new type of attack that enables hackers to bypass authentication and take over user accounts in various Microsoft applications. The research revealed that the vulnerability was rooted in Azure Active Directory, a single sign-on and multi-factor authentication service used by organizations worldwide.
According to the research, a misconfiguration in Azure Active Directory led to a collection of potentially serious issues, exposing at least 35% of the apps scanned to authentication bypass. Among the most severe examples of this vulnerability is an exposed admin interface tied to Bing, allowing any user to access the interface and resulting in a functional admin panel for the search engine.
The research team was able to manipulate search engine results and launch Cross-Site Scripting (XSS) attacks, which enabled them to compromise the Office365 credentials of any Bing user. This granted them access to sensitive data such as private data, Outlook emails, SharePoint files, and Teams messages. This specific attack has been dubbed “BingBang” and given the popularity of Bing, with it being the 27th most visited website globally, it presents a significant risk for users.
The researchers also discovered vulnerabilities in other applications such as Mag News, a control panel for MSN newsletters, PoliCheck, a forbidden word checker, Power Automate Blog (a WordPress admin panel), and CNS API, a Central Notification Service. Hackers can use these applications to send internal notifications to Microsoft developers or fire out emails to a large number of recipients.
Microsoft was notified about these vulnerabilities and immediately took steps to address them. In a guidance document, Microsoft confirmed that the issue had been addressed and additional authorization checks had been implemented to mitigate future risks. The Bing issue was first reported on January 31, and it was fixed the same day, while the additional vulnerabilities were reported on February 25 and fixed by March 20.
Although there is no solid evidence of these flaws being exploited by hackers, it is essential to be cautious. According to Microsoft, Azure Active Directory logs are “insufficient to provide insight on past activity,” so users are advised to view application logs and check for any evidence of dubious logins.
The sources for this piece include an article in Malwarebytes.