{"id":51230,"date":"2023-03-30T00:50:01","date_gmt":"2023-03-30T00:50:01","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/34475\/BingBang-How-A-Simple-Developer-Mistake-Could-Have-Led-To-Bing.com-Takeover.html"},"modified":"2023-03-30T00:50:01","modified_gmt":"2023-03-30T00:50:01","slug":"bingbang-how-a-simple-developer-mistake-could-have-led-to-bing-com-takeover","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/bingbang-how-a-simple-developer-mistake-could-have-led-to-bing-com-takeover\/","title":{"rendered":"BingBang: How A Simple Developer Mistake Could Have Led To Bing.com Takeover"},"content":{"rendered":"
<\/div>\n

This blog provides a high-level overview of the vulnerability and its impact. For a technical deep dive, please refer to our technical blog<\/a>.<\/p>\n

<\/span>Introduction <\/strong> <\/h2>\n

Wiz Research has identified a new attack vector in Azure Active Directory (AAD) that compromised Microsoft\u2019s Bing.com. The attack vector is based on a common AAD misconfiguration, exposing misconfigured apps to unauthorized access. <\/p>\n

The researchers found several Microsoft applications vulnerable to this attack, one of which was a Content Management System (CMS) that powers Bing.com. This allowed them to take over Bing.com functionality, modify search results, and potentially enable the Office 365 credential theft of millions of Bing users. These credentials in turn granted access to users\u2019 private emails and documents.<\/p>\n

Wiz Research named this attack \u201c#BingBang.\u201d The exploitation of the vulnerability was simple and didn’t require a single line of code.<\/p>\n

All issues were responsibly disclosed to Microsoft upon discovery. Microsoft rapidly fixed its vulnerable applications and modified some AAD functionality to reduce customer exposure. <\/p>\n

To check whether your environment has been affected, please refer to the \u201cCustomer Remediation Guidelines\u201d section of our technical blog<\/a>. <\/p>\n

BingBang attack flow<\/em><\/p>\n

<\/span>Part 1: Logging in to a sensitive Bing.com interface<\/strong><\/h2>\n

As part of Wiz Research efforts to investigate novel cloud risks and attack vectors (e.g. ChaosDB, OMIGOD, etc.), our researchers examined Azure Active Directory and discovered a risky configuration. <\/p>\n

<\/span>What is Azure Active Directory? <\/h3>\n

Azure Active Directory (AAD)<\/a> is a cloud-based identity and access management service. AAD is the most common authentication mechanism for apps created in Azure App Services or Azure Functions. You might be familiar with the AAD sign-in page:<\/p>\n

<\/span>What risky configuration did Wiz Research discover in AAD? <\/h3>\n

AAD provides different types of account access: single-tenant, multi-tenant, personal accounts, or a combination of the latter two. A multi-tenant app allows logins from any user belonging to any Azure tenant. In a multi-tenant app, it is the developer\u2019s responsibility to check the user\u2019s original tenant and provision access accordingly. If they do not properly validate this information, any Azure user in the world could log in to the app.<\/p>\n

This Shared Responsibility architecture is not always clear to developers, and as a result, validation and configuration mistakes are quite prevalent.  <\/p>\n

<\/span>Discovering the vulnerable Bing application <\/h3>\n

After recognizing these issues and their potential impact, the researchers started scanning for vulnerable applications (multi-tenant apps lacking proper validation) on the internet. The results were shocking \u2013 approximately 25% of the multi-tenant apps they scanned were vulnerable.  <\/p>\n

Most surprisingly, the list included an app made by Microsoft itself, named \u201cBing Trivia.\u201d 
Because this app was misconfigured, the researchers were able to log in to it with their own Azure user. They then found a Content Management System (CMS) linked to Bing.com.<\/p>\n

<\/span>Part 2: Modifying Bing.com search results<\/strong> <\/h2>\n

To verify that this CMS was indeed controlling Bing\u2019s live results, they selected a keyword in the CMS and temporarily altered its content. They chose the \u201cbest soundtracks\u201d search query, which returned a list of highly recommended movie soundtracks. <\/p>\n

They then proceeded to change the first result, \u201cDune (2021),\u201d to their personal favorite, \u201cHackers (1995),\u201d and pushed it to production. Their new result, complete with their title, thumbnail, and arbitrary link, immediately appeared on Bing.com:<\/p>\n

This proved that they could control arbitrary search results on Bing.com. A malicious actor landing on the Bing Trivia app page could therefore have tampered with any search term and launched misinformation campaigns, as well as phished and impersonated other websites. <\/p>\n

<\/span>Part 3: Stealing Office 365 credentials from Bing users<\/strong> <\/h2>\n

After Wiz researchers realized they could modify Bing.com, they decided to test Cross-Site Scripting (XSS) viability. <\/p>\n

<\/span>What is a Cross-Site Scripting (XSS) attack?<\/h3>\n

Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code to an end user through the website. <\/p>\n

The researchers added a harmless XSS payload to Bing.com and saw that it ran as expected, so they quickly reverted their changes and immediately reported their findings to Microsoft. <\/p>\n

While working with Microsoft on the report, the researchers started investigating the impact of the XSS they found, and discovered they could utilize it to compromise the Office 365 token of any Bing user.  <\/p>\n

Bing and Office 365 are integrated: Bing\u202fhas a \u201cWork\u201d section that allows users to search their Office 365 data. To implement this functionality, Bing communicates with Office 365 on the logged-in user’s behalf. Using this same feature, the researchers crafted an XSS payload that stole Office 365 access tokens from users:<\/p>\n

With a stolen token, a potential attacker could access Bing users\u2019 Office 365 data,\u202fincluding Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. The tests were limited to the researcher\u2019s own user; no tests were performed on other Bing.com users. <\/p>\n

A malicious actor with the same access could\u2019ve hijacked the most popular search results with the same payload and leaked the sensitive data of millions of users. According to SimilarWeb, Bing is the 27th most visited website in the world, with over a billion pageviews per month \u2013 in other words, millions of users could\u2019ve been exposed to malicious search results and Office 365 data theft.<\/p>\n