9621 Agnes Crossing, Lake Suzanneview, New Mexico Island 84604-9295.
Security researchers were able to change Bing search results earlier this year through a misconfiguration in Azure. They also got access to private customer data from Teams and
Security researchers were able to change Bing search results earlier this year through a misconfiguration in Azure. They also got access to private customer data from Teams and Outlook.
Not even Microsoft is immune to cloud misconfigurations. Wiz security researchers discovered such a misconfiguration in Azure and were able to exploit it with far-reaching consequences. The Wall Street Journal reports. On the one hand, the researchers were able to manipulate Bing’s search results, which is particularly unfortunate for the handful of users who can’t easily change their default search engine on Windows. On the other hand, the testers were given access to Microsoft applications and associated customer data.
The error in question dates back to January and was in the Azure Active Directory service. There you can configure an app to be used by multiple accounts, but everyone has access via this setting by default. It is up to the owner to further change the configuration with the right access rights.
Through their own accounts, the researchers noted that they had access to the Bing Trivia CMS, where they could customize results to theoretically spread fake news or conduct phishing attacks.
Further investigation revealed that the same bug allowed access to Microsoft 365 data from Microsoft customers. This was undoubtedly very sensitive information such as emails in Outlook, calendars, team messages and SharePoint documents. Wiz experts demonstrated how to read a simulated victim’s mailbox. The misconfiguration in question proved to be pervasive in the Microsoft ecosystem.
On January 32, Microsoft was notified of the vulnerability in Bing. This issue was fixed on February 2nd. On February 25, Wiz shared the additional bug that allowed access to Microsoft 365. The loopholes were not closed until March 20th. Microsoft says it has also refined its own internal processes to avoid similar problems in the future.
The vulnerability, which the people at Wiz BingBang have dubbed, would have been discovered and patched in time, without hackers having a chance to exploit it. Customer data was therefore only theoretically publicly accessible, without any practical consequences.
Source: IT Daily
As an experienced journalist and author, Mary has been reporting on the latest news and trends for over 5 years. With a passion for uncovering the stories behind the headlines, Mary has earned a reputation as a trusted voice in the world of journalism. Her writing style is insightful, engaging and thought-provoking, as she takes a deep dive into the most pressing issues of our time.
