{"id":21614,"date":"2023-03-30T16:10:50","date_gmt":"2023-03-31T00:10:50","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/03\/30\/news-15345\/"},"modified":"2023-03-30T16:10:50","modified_gmt":"2023-03-31T00:10:50","slug":"news-15345","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/03\/30\/news-15345\/","title":{"rendered":"&#8220;BingBang&#8221; flaw enabled altering of Bing search results, account takeover"},"content":{"rendered":"<p>Researchers from Wiz have discovered a way to <a href=\"https:\/\/www.wiz.io\/blog\/azure-active-directory-bing-misconfiguration\">allow for search engine manipulation and account takeover<\/a>. The research in question focuses on several Microsoft applications, with everything stemming from a new type of attack aimed at <a href=\"https:\/\/azure.microsoft.com\/en-us\/products\/active-directory\" target=\"_blank\">Azure Active Directory<\/a>.<\/p>\n<p>Azure Active Directory is a single sign-on and multi-factor authentication service used by organisations around the world. In Microsoft&rsquo;s own words, &ldquo;Governance ensures the right people have access to the right resources, and only when they need it&rdquo;.<\/p>\n<p>Unfortunately, a misconfiguration in how Azure was set up resulted in a collection of potentially serious issues. According to Wiz, once the team started scanning for exposed applications, no fewer than 35% of the apps they scanned were vulnerable to authentication bypass.<\/p>\n<p>Perhaps the most striking example of this particular attack is how an exposed admin interface tied to Bing allowed any user to access it. Bypassing authentication resulted in a functional admin panel for the search engine. The researchers were able to not only change returned results for searches like &ldquo;Best soundtrack&rdquo;, but also take things quite a bit further.<\/p>\n<p><iframe loading=\"lazy\" width=\"100%\" height=\"420\" src=\"https:\/\/www.youtube.com\/embed\/hctqRgQW4IU?feature=oembed\" frameborder=\"0\" allowfullscreen=\"\" style=\"\"><\/iframe><\/p>\n<p>This same access also allowed the researchers to inject a Cross Site Scripting attack (XSS) and compromise any Bing user&rsquo;s Office365 credentials. From there, they could access:<\/p>\n<ul>\n<li>Private data<\/li>\n<li>Outlook emails<\/li>\n<li>SharePoint files<\/li>\n<li>Teams messages<\/li>\n<\/ul>\n<p>This particular attack has been dubbed &ldquo;BingBang&rdquo;. Wiz notes that Bing is the 27th most visited website in the world, so that&rsquo;s clearly a big target pool to play with. Additionally, other vulnerabilities existed in numerous other applications. These range from Mag News, a control panel for MSN newsletters and PoliCheck, a forbidden word checker, to Power Automate Blog (a WordPress admin panel) and CNS API, a Central Notification Service.<\/p>\n<p>The potential for mischief here is wide-ranging. These applications can send internal notifications to Microsoft developers, or fire out emails to a large collection of recipients.<\/p>\n<p>Thankfully Microsoft was notified about these issues, and by the time the latest Bing update was rolled out the issues had been addressed. From its&nbsp;<a href=\"https:\/\/msrc.microsoft.com\/blog\/2023\/03\/guidance-on-potential-misconfiguration-of-authorization-of-multi-tenant-applications-that-use-azure-ad\/\">Guidance Document<\/a>:<\/p>\n<blockquote>\n<p>Microsoft has addressed an authorization misconfiguration for multi-tenant applications that use Azure AD, initially discovered by Wiz, and reported to Microsoft, that impacted a small number of our internal applications. The misconfiguration allowed external parties read and write access to the impacted applications. &nbsp;<\/p>\n<p>Microsoft immediately corrected the misconfiguration and added additional authorization checks to address the issue and confirmed that no unintended access had occurred.<\/p>\n<p>Microsoft has confirmed that all the actions outlined by the researchers are no longer possible because of these fixes.<\/p>\n<p>Microsoft made additional changes to reduce the risk of future misconfigurations.<\/p>\n<\/blockquote>\n<p>The initial Bing issue was first reported to Microsoft on January 31, and it was fixed the same day. The additional vulnerabilities were reported&nbsp;on February 25, with fixes for those beginning on February 27 and ending March 20.<\/p>\n<p>While there doesn&rsquo;t seem to be any solid evidence of these flaws being abused in the wild, Wiz notes that according to Microsoft, Azure Active Directory logs are &ldquo;insufficient to provide insight on past activity&rdquo;. As a result, you would need to view application looks and check for any evidence of dubious logins.<\/p>\n<p>Managing cloud applications is a challenging and difficult business, with small tiny mistakes potentially causing big problems. Sometimes, even Microsoft doesn&rsquo;t get it quite right. Hopefully the worst&nbsp;impact here&nbsp;will turn out to have been knocking Dune out of the top soundtrack spot for the Hackers OST&hellip;even if the latter is the far superior album. Hack the planet indeed.<\/p>\n<hr \/>\n<p dir=\"ltr\">Malwarebytes removes all remnants of ransomware and&nbsp;prevents&nbsp;you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.<\/p>\n<p style=\"text-align: center;\"><span class=\"blue-cta-bttn\" style=\"background-color: #0d3ecc; line-height: 50px; padding: 0 20px;\"><a href=\"https:\/\/www.malwarebytes.com\/business\/contact-us\/\">TRY NOW<\/a><\/span><\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/03\/bing-and-other-microsoft-applications-fall-victim-to-account-takeover-flaw\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Tags: bing<\/p>\n<p>Tags:  microsoft<\/p>\n<p>Tags:  azure<\/p>\n<p>Tags:  takeover<\/p>\n<p>Tags:  search<\/p>\n<p>Tags:  results<\/p>\n<p>Tags:  access<\/p>\n<p>We take a look at the BingBang flaw which allowed for search engine manipulation in Bing.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/03\/bing-and-other-microsoft-applications-fall-victim-to-account-takeover-flaw\" title=\"\"BingBang\" flaw enabled altering of Bing search results, account takeover\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/03\/bing-and-other-microsoft-applications-fall-victim-to-account-takeover-flaw\">&#8220;BingBang&#8221; flaw enabled altering of Bing search results, account takeover<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[12505,13617,13776,10516,32,23852,14255,28976],"class_list":["post-21614","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-access","tag-azure","tag-bing","tag-microsoft","tag-news","tag-results","tag-search","tag-takeover"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21614","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21614"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21614\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21614"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}