An Azure Active Directory (AAD) misconfiguration let a Cloud Security Researcher manipulate Bing search results. The Cloud Security Researcher at Wiz Research, Hillai Ben-Sasson, hacked into the Bing search CMS to manipulate Bing search results and take over millions of Microsoft Office 365 accounts. The researcher then reported the issue to Microsoft to earn a bounty of $40,000 (~Rs 32,85,500), but only after posting the entire experience. Here’s how it unfurled.
Bing Search Result Altered by Cloud Security Researcher
I hacked into a @Bing CMS that allowed me to alter search results and take over millions of @Office365 accounts.
How did I do it? Well, it all started with a simple click in @Azure… 👀
This is the story of #BingBang 🧵⬇️ pic.twitter.com/9pydWvHhJs— Hillai Ben-Sasson (@hillai) March 29, 2023
Cloud Security Researcher at Wiz Research Hillai Ben-Sasson replaced the Dune soundtrack in search results with Hackers soundtrack from 1995 by exploiting an AAD misconfiguration. It began when the research team at Wiz Research noticed a configuration checkbox in Azure that exposed misconfigured applications to unauthorized access. It means anyone could access 25% of vulnerable multi-tenant applications, according to Wiz research scan.
Ben-Sasson tried to log in to one such application and successfully accessed the “Bing Trivia” page, which looked like a trivia page prima facie. However, the researcher was surprised that the page controlled all search results on Bing. He came across a page containing several keywords and decided to change the top result for “best soundtracks” from Dune (2021) to his personal favourite, Hackers (1995), all puns intended. And to his surprise, Bing.com reflected the change immediately.
With his curiosity piqued, Ben-Sasson tried to execute an XSS payload and was successful in doing so. He then found a Bing endpoint related to Office 365, which issued Office tokens for all logged-on users. He quickly executed an XSS payload to exploit this functionality on himself. He could access his Outlook emails, calendars, MS Teams messages, SharePoint Documents, OneDrive Files, and more of any Bing users, which is indeed scary since the misconfiguration was open to any hacker.
This is why the Wiz Research team reverted all that they did to the AAD and reported the issue to Microsoft. The company then introduced an AAD product and guidance changes to all customers to help mitigate the issue. Ben-Sassion and Wiz Research team were offered a $40,000 bug bounty, which they will donate to a cause.
