A security researcher says they have been able to modify Bing search results through a vulnerability in Microsoft’s cloud service.
Earlier this year, a new vulnerability called ‘BingBang’ was discovered that put millions of Microsoft 365 service user accounts at risk. Microsoft 365 is a large service consisting of various tools that are more useful for organizations.
Security researchers said the Azure cloud service has a security vulnerability that allows access to the CMS of the Bing search engine, and can go to the collection of confidential information of Microsoft applications such as Teams, Outlook and Office.
‘Hilay Ben Sasson’, one of Wiz’s security researchers, explained in a new tweet how he and his team manipulated Bing search results and gained control of ‘millions of Office 365 accounts.’
According to Windows Central, researchers at Wiz discovered an attack vector in Azure Active Directory that hackers theoretically could have used to exploit and gain access to Microsoft applications. Almost 25% of multi-tenancy-based services were vulnerable to this security flaw. Multiple instances of a specific application run on a server in multi-tenancy architecture to serve multiple tenants.
The Bingbang vulnerability rendered certain Microsoft applications susceptible to hacker attacks. Wiz researchers were able to correct Bing search results and detect XSS attacks on Bing users. If such attacks are successful, hackers could theoretically gain access to Outlook emails and SharePoint documents. Files in OneDrive, Outlook calendar events and Teams service messages may also be compromised.
Yaniv Bar-Dayan, Wiz’s Chief Technology Officer, told Wall Street Journal that ‘a potential hacker could manipulate Bing search results, putting Microsoft 365 emails and data of millions at risk.’
Wiz researchers informed Microsoft about the vulnerability in Bing and this company quickly fixed it. The research company provided details of another vulnerability to Microsoft about a month ago. On March 20, 2023, Redmond informed Wiz that all issues had been resolved.
The new version of Bing that uses artificial intelligence was unveiled just a few days after one of these major vulnerabilities. If the vulnerability were not fixed, many users who had flocked to this search engine for its new features may have been at risk. Bing’s chatbot helped the search engine reach more than 100 million daily active users for the first time.
The BingBang vulnerability has existed in Microsoft’s search engine for years, but according to the researchers, there is no evidence that hackers have exploited this vulnerability.