March 30 (Portaltic/EP) –
A configuration error in the Microsoft Azure platform It has allowed access to the technology company’s services, allowing the manipulation of Bing search results and the espionage and theft of data from workers who use Office 365 ‘apps’.
The misconfiguration has been identified in Azure Active Directory (AAD)the service that allows the user authentication in professional environmentsand has exposed various Microsoft services, to the point where a malicious actor could not only view sensitive data but also manipulate it.
AAD offers different login services, either with an individual account, with multi-user, with a personal account or with a combination of the latter two. Precisely, the configuration error was located in the multi-user validation process (or multi-tenant), where any Azure user can sign in and it is the developers who validate the user.
Specifically, the Wiz researchers discovered that 25 percent of all the multi-user applications they analyzed were vulnerable to authentication bypass, that is, they did not have proper validation, as stated in the explanation published in their official blog.
One of the affected applications was bing.com, the Microsoft search engine. With the configuration error, the researchers created a user with their own Azure account to access Bing Trivia, an app that displays content sections of this service, such as carousels, surveys, or background images. They had not been validated as tenants.
Inside it they could make changes to a query carousel about ‘The best soundtracks’, in such a way that instead of Dune (2021), which appeared in the first position, they wrote Hackers (1995), an edition that they saved and that was visible in the results offered by the search engine.
“This showed that we could control Bing search results“, say the researchers, who later extended this control to the content of the search engine’s home page.
The instigators also executed a “harmless” payload with the aim of checking the feasibility of a code injection attack. They discovered a section called ‘Work’, based on the Office 365 API, which when attacked, gave them access to the victim’s information (in this case, their own user): emails, Teams messages, documents shared on SharePoint and OneDrive files.
