Full Report
How a misconfiguration in a Microsoft Bing.com application allowed Wiz Research to modify Bing’s search results – and potentially compromise the private data of millions of Bing users
Analysis Summary
# Incident Report: Azure AD Misconfiguration Leading to Bing.com Compromise (#BingBang)
## Executive Summary
Wiz Research discovered a critical attack vector stemming from a common Azure Active Directory (AAD) multi-tenant application misconfiguration, dubbed "#BingBang." This vulnerability allowed unauthorized login to a Microsoft application linked to Bing.com's Content Management System (CMS), enabling modification of live search results and potential Cross-Site Scripting (XSS) exploitation to steal Office 365 credentials from millions of Bing users. The issues were responsibly disclosed, and Microsoft rapidly remediated the vulnerable applications.
## Incident Details
- Discovery Date: Not explicitly stated, based on responsible disclosure timeframe.
- Incident Date: Prior to disclosure by Wiz Research.
- Affected Organization: Microsoft (Bing.com, Azure Active Directory ecosystem).
- Sector: Technology / Internet Services
- Geography: Global (due to Bing's access)
## Timeline of Events
### Initial Access
- Date/Time: Unknown
- Vector: Exploitation of a misconfigured multi-tenant Azure AD application ("Bing Trivia").
- Details: Attackers gained unauthorized access by exploiting the lack of proper multi-tenant validation in the AAD application configuration, allowing any external Azure user to log in. This led to access to an associated Content Management System (CMS) powering Bing.com.
### Lateral Movement
- Researchers used access to the CMS to verify control by successfully modifying a live search result (changing the top result for "best soundtracks").
### Data Exfiltration/Impact
- Potential impact included:
1. Issuing misinformation campaigns by modifying arbitrary search results.
2. Launching XSS attacks targeting Bing users.
3. Stealing Office 365 access tokens from authenticated Bing users via a crafted XSS payload delivered through search results. This could grant access to related data (Outlook emails, documents, Teams messages).
### Detection & Response
- Detection: Proactively discovered by Wiz Research while examining novel cloud risks in Azure AD.
- Response actions taken: Changes were immediately reverted by researchers. Findings were responsibly disclosed to Microsoft, who then rapidly fixed vulnerable applications and modified AAD functionality to reduce customer exposure.
## Attack Methodology
- Initial Access: Leveraging misconfigured multi-tenant AAD application access validation.
- Persistence: Not explicitly detailed in terms of maintaining access, as the research quickly transitioned to impact testing.
- Privilege Escalation: Not required for the initial access phase or content modification; XSS allowed the theft of user tokens.
- Defense Evasion: The attack exploited a structural configuration weakness rather than evading active security controls on endpoint systems.
- Credential Access: Potential Office 365 token theft via crafted XSS payload delivered through search results.
- Discovery: Researchers actively scanned for vulnerable multi-tenant applications lacking proper owner validation.
- Lateral Movement: Gaining access to the Bing.com CMS via the vulnerable AAD application.
- Collection: Malicious actors could leverage XSS to passively collect Office 365 session tokens of users performing searches.
- Exfiltration: In a real attack scenario, stolen session tokens would be exfiltrated.
- Impact: Modification of public search results and massive potential for sensitive data theft (O365 tokens).
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Potential exposure of Office 365 data (emails, documents, chats) belonging to millions of Bing users globally.
- Operational: Potential for widespread dissemination of misinformation or phishing campaigns via search results hijacking.
- Reputational: Significant reputational risk to Microsoft due to control over a major search engine and the associated Office 365 integration.
## Indicators of Compromise
- Network indicators: None publicly shared (URLs/IPs were not specified in the overview).
- File indicators: None specified.
- Behavioral indicators: Unauthorized login attempts to multi-tenant AAD applications missing validation checks; injection of XSS payloads into Bing search results.
## Response Actions
- Containment measures: Researchers immediately reverted temporary modifications made to test the vulnerability.
- Eradication steps: Microsoft rapidly fixed the vulnerable "Bing Trivia" application and modified related AAD functionality.
- Recovery actions: Not explicitly detailed, assumed recovery involved patching the AAD configurations across affected services to enforce proper tenant validation.
## Lessons Learned
- The speed and flexibility of cloud infrastructure (like AAD) mean simple developer mistakes (like incorrect tenant validation settings) can expose highly sensitive services to the internet instantly.
- Security resilience relies heavily on rapid detection and mitigation of newly exposed attack surfaces.
- Clear guardrails are necessary to differentiate intended public endpoints from accidental exposure.
## Recommendations
- Implement rapid detection mechanisms to monitor for new public endpoints created across the organization's cloud estate.
- Establish clearly defined guidelines ("guardrails") for approved public exposure, ensuring anything outside these rules is flagged as accidental.
- Utilize adaptive automation to continuously scan and validate the organization's attack surface against security baselines to keep pace with rapid cloud changes.