Researchers at Wiz have discovered a vulnerability in the Bing search system that allows for manipulation and the seizure of user information. The vulnerability, named “Bingbang”, was discovered in several Microsoft applications associated with attacks aimed at Azure Active Directory.
Azure Active Directory serves as a single entrance service and multifactorial authentication for many organizations worldwide. However, incorrect Azure settings leave applications vulnerable to potentially serious problems. According to Wiz, at least 35% of scanned applications were vulnerable to bypassing Azure authentication.
One example of the Bingbang attack exposes how an open administrator interface tied to Bing allowed any user to access it. Not only were researchers able to change the results for requests such as “best soundtrack”, but they were also able to compromise the accounting data of any Bing user with Microsoft Office365. This also gave them access to personal data, Outlook, Filepoint, messages on the Teams service, and more.
Bing is known as the 27th most popular website in the world, making it a large potential target pool for attacks. Other services vulnerable to Bingbang include Mag News, MSN, POLICK, POWER AUTOMATE BLOG, among others.
Potential harm through this attack is vast. Completed services could send internal notifications to Microsoft developers or emails to a large number of recipients. Fortunately, Microsoft was notified promptly and fixed the vulnerability. They added additional authorization checks and confirmed that no real attackers had exploited the vulnerability.
In summary, Wiz discovered the Bingbang vulnerability in the Bing search system, allowing for the manipulation and seizure of user information from Microsoft applications. Bing is the 27th most popular website and a significant target for attacks. Microsoft worked quickly to fix the vulnerability and add additional checks.