Microsoft’s Bing search engine has been in the news lately due to the launch of Bing Chat. However, before this launch, security researchers at Wiz discovered a major flaw in Microsoft’s cloud computing platform, Azure, that compromised Bing’s security.
Wiz’s Hillai Ben-Sasson revealed their findings in a recent Twitter thread, stating that they discovered “an odd Azure configuration” in January. They found a vulnerability in the Azure Active Directory (AAD) identity and access management service, which allowed them to access Microsoft’s Bing Trivia feature without authentication. This flaw enabled hackers to obtain personal information from Bing users, such as Outlook emails and Teams chats, by issuing Office tokens to all logged-in users.
According to Wiz Chief Technology Officer Ami Luttwak, the exploit could have been used by a state trying to influence public opinion or a hacker with financial motives. Fortunately, Microsoft has addressed the issues Wiz reported in Azure and Bing. In a blog post, Microsoft stated that Azure AD had been updated to stop issuing access tokens to clients not registered in the resource tenant. This should prevent this issue if the application does not handle authentication checks correctly.
Although Wiz did not find any evidence of exploitation before the patch was released, they suggest that organizations using Azure Active Directory applications review their application logs for suspicious logins that indicate a security breach.
In recognition of their efforts, Microsoft rewarded Wiz with $40,000 for finding and reporting the flaw. This highlights the importance of responsible disclosure of vulnerabilities to ensure they are addressed quickly and efficiently.
In conclusion, the recent discovery of a vulnerability in Azure by Wiz serves as a reminder of the importance of robust security measures in cloud computing platforms. With Microsoft quickly addressing the issues, it is a testament to its commitment to ensuring the safety and security of its users’ data. However, organizations should also take proactive steps to review their application logs to identify suspicious activity and prevent future security breaches.
