Cybersecurity firm Wiz reported that a mistake in Azure Active Directory (AAD) configuration resulted in unauthorized access to applications and could potentially lead to a Bing.com takeover.
Microsoft’s AAD, a cloud-based identity and access management (IAM) service, is typically used as the authentication mechanism for Azure App Services and Azure Functions applications. The service supports different types of account access, including multi-tenant, where any user belonging to any Azure tenant can issue an OAuth token for them, unless proper restrictions are in place.
For multi-tenant applications, developers are responsible for checking a user’s original tenant and enforcing access policies to prevent unauthorized logins, but Wiz discovered that more than 25% of the multi-tenant apps accessible from the internet lack proper validation. This includes some of Microsoft’s own applications.
One of these apps was Bing Trivia, a Microsoft application that provided access to a content management system (CMS) linked to Bing.com, and which allowed Wiz researchers to control results on Microsoft’s search engine. This could have allowed a malicious actor to tamper with any search term, launch misinformation campaigns, and phish and impersonate other websites.
Digging deeper, the researchers discovered that Bing and Office 365 were connected, and that they could add a cross-site scripting (XSS) payload to Bing.com, which allowed them to compromise the Office 365 token of any user. This provided them with access to a user’s Office 365 data, including emails, Teams messages, calendar entries, and SharePoint and OneDrive files.
Microsoft addressed the initial Bing issue on January 31, the same day that Wiz reported it. The tech giant patched the vulnerable applications in late February and issued a $40,000 bug bounty reward this week.
Given the potential impact of the misconfiguration, it is important for organizations to check their application configurations to ensure that multi-tenant access is properly configured, or switch to single-tenant authentication if multi-tenancy is not required. For vulnerable applications, checking logs for past activity is also recommended (AAD logs, however, are insufficient for that).
Key Points:
- Azure Active Directory (AAD) misconfiguration exposed applications to unauthorized access.
- Multi-tenant applications must be properly configured to prevent unauthorized logins.
- Microsoft’s own applications were vulnerable to the misconfiguration.
- A malicious actor could have tampered with search results on Bing.com.
- Organizations must check application configurations and logs to ensure they are secure.