In January, security researchers with Wiz discovered a major and dangerous flaw in the Microsoft Bing search engine. Known as “BingBang”, threat actors could potentially alter search results and discover the personal information of Bing users from apps such as Teams, Outlook, and Office 365.
The problem came from Azure Active Directory (AAD), Microsoft's identity management service. Apps using multi-tenant permissions on AAD can be seen by any user, which means developers need to validate users to permit them to use apps.
However, misconfigurations can happen relatively easily. In fact, Wiz says 25% of multi-tenant apps it has scanned do not have proper validation. One of those apps with validation was Bing Trivia. Wiz researchers could log into the app using their Azure account and could access the content management system (CMS).
From there they were able to control live searches in Microsoft's Bing search engine (Bing.com). Anyone who went to the Bing Trivia app could have entered with their Azure credentials and changed/controlled Bing search results.
It is worth noting the BingBang flaw affected 1,000 apps and sites across Microsoft's cloud in total.
“A potential attacker could have influenced Bing search results and compromised Microsoft 365 emails and data of millions of people,” Ami Luttwak, Wiz's chief technology officer, told The Wall Street Journal. “It could have been a nation-state trying to influence public opinion or a financially motivated hacker.”
Quick Fix for Bing Chat Launch
Microsoft was told about the vulnerability on January 31st and the company's Security Response Center issued a fix on February 2. The other apps were then reported to Microsoft on February 25th and the company fixed all of them by March 20.
The reason Microsoft was quick to fix Bing but took longer on the other apps is that Wiz's report happened just a week before the February 7 launch of Bing Chat. The company's new AI search is driven by GPT-4 and provides natural language responses based on AI. It has propelled a new era of success for Bing, pushing the engine to 100 million active users.
However, if it had shipped with this vulnerability the story may have been very different.
Tip of the day: The Windows Sandbox gives Windows 10/11 Pro and Enterprise users a safe space to run suspicious apps without risk. In our tutorial we show you how to enable the Windows Sandbox feature.