Bing and millions of Microsoft 365 accounts were vulnerable to hackers due to the 'BingBang' vulnerability

News
By
published

An issue within Azure left millions of Microsoft 365 accounts vulnerable to attackers.

Bing color shifted to red
(Image credit: Future)

What you need to know

  • Wiz Research discovered an issue within Microsoft Azure that left Bing and millions of Microsoft accounts vulnerable.
  • White hat hackers were able to change Bing search results and prove that it was possible to share an attack through the search engine.
  • The vulnerability was reported to Microsoft and fixed within one week of the new Bing powered by ChatGPT launching in preview.

Earlier this year, a vulnerability was discovered that put millions of Microsoft 365 accounts at risk. Security researchers at Wiz found a flaw in Azure that could be exploited to access Bing's CMS and gather private information from Microsoft apps, such as Teams, Outlook, and the Office suite.

Hillai Ben-Sasson, a cloud security researcher at Wiz, broke down how they were able to alter Bing search results and "take over millions of Office 365 accounts."

Below is the first tweet of an extensive thread about the exploit:

Wiz also has a blog post about the vulnerability, as well as a video.

Wiz discovered an attack vector in Azure Active Directory that if exploited would grant unauthorized access to misconfigured applications. Roughly 25% of multi-tenant applications were vulnerable, according to Wiz. The research firm highlighted that misconfigurations are common.

Several applications were at risk due to the vulnerability. Wiz was able to modify Bing search results and launch high-impact XSS attacks on users of Bing. If attacks such as those were successful, a threat actor could gain access to Outlook emails and SharePoint documents. OneDrive files, Outlook calendars, and Teams messages were also at risk of being exposed.

“A potential attacker could have influenced Bing search results and compromised Microsoft 365 emails and data of millions of people,” said Ami Luttwak, Wiz’s chief technology officer, to The Wall Street Journal. “It could have been a nation-state trying to influence public opinion or a financially motivated hacker.”

Wiz alerted Microsoft of the Bing vulnerability and the tech giant fixed it quickly. The research firm made Microsoft aware of other vulnerable applications on February 25, 2023. On March 20, 2023, Microsoft confirmed to Wiz that all of the related issues had been fixed.

In a way, the timing of the exploit being reported and fixed was a blessing for Microsoft. The vulnerability was reported on January 31, 2023 and fixed two days later on February 2, 2023. Microsoft announced the new Bing on February 7, 2023. If the vulnerability was left unpatched when the new search engine launched in preview, the number of potential victims would have been much higher.

Bing Chat helped the use of Microsoft's search engine to over 100 million daily active users.

While the reported vulnerability could have been exploited for years, according to Wiz, the company clarified that there was no evidence that it had been exploited.

CATEGORIES
Sean Endicott
Sean Endicott
News Writer and apps editor

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.