This mega Microsoft security flaw could let hackers change Bing results, access Outlook emails

Microsoft has patched a high-severity vulnerability in its Bing search engine, which allowed potential threat actors to not only alter search results, but also access people’s Office 365 data.

Cybersecurity researchers from Wiz discovered the flaw in January 2023, identifying it as a misconfiguration in the Azure Active Directory (AAD) identity and access management service in Microsoft's Azure cloud platform.

Asides from changing search engine results, the flaw could allow access to other people’s Office 365 data, such as Outlook emails, calendars, Teams messages, OneDrive files, and more.

A common occurrence

Some applications on Azure can use multi-tenant permission, and thus be accessible by any Azure user. That means developers need to set up a way to validate users and keep tabs on who gets to access what. According to The Verge, this is where many get it wrong, as misconfigurations in this respect are “a common occurrence.” Wiz says 25% of all multi-tenant apps it scanned did not have good validation.

This is exactly what happened to Bing Trivia, and that allowed the researchers to log in with their own Azure accounts. Once logged in, they were granted access to a content management system (CMS) which let them alter live search results from Bing. The researchers said that they didn’t do anything spectacular here - anyone who knew how to reach the Bing Trivia page could have done the same.

Besides altering search engine results, the researchers also discovered they were given access to other people’s Office 365 data, such as Outlook emails, calendars, Teams messages, OneDrive files, and more. The researchers tested it out on a mock email inbox and confirmed the vulnerability. But the vulnerability’s reach doesn’t end here - there are more than 1,000 apps and websites on Microsoft cloud that had similar abusable misconfigurations, such as Mag News, PoliCheck, Cosmos, and more.

“A potential attacker could have influenced Bing search results and compromised Microsoft 365 emails and data of millions of people,” Ami Luttwak, Wiz’s chief technology officer, told The Wall Street Journal. “It could have been a nation-state trying to influence public opinion or a financially motivated hacker.”

Microsoft was tipped off on January 31, and by March 20, addressed the vulnerability entirely. The researchers did not find any evidence of prior abuse.

Via: The Verge



from TechRadar - All the latest technology news https://ift.tt/uxVYypF
Share:

No comments:

Post a Comment

Categories

Rove Reviews Youtube Channel

  1. Subscribe to our youtube channel
  2. Like our videos and share them too.
  3. Our youtube channel name Rove reviews.

WITNUX

This website is made by Witnux LLC. This website provides you with all the news feeds related to technology from large tech media industries like GSM Arena, NDTV, Gadgets 360, Firstpost and many other such ates altogether at technical depicts so that you need not go to several sites to view their post provide you advantantage of time.

From the developer
Tanzeel Sarwar

OUR OTHER NETWORKS

OUR YOUTUBE CHANNEL

ROVE REVIEWS PLEASE SUBSCRIBE

OUR FACEBOOK PAGE

The Rove Reviews

Support

Trying our best to provide you the best DONATE or SUPPORTour site Contact me with details how are you gonna help us