[German]A nice case about the risk of the cloud. Microsoft 's Azure may have allowed a misconfiguration of some apps or services. As a result, attackers could potentially inject malicious code into Bing search results pages to manipulate them. It would also have been possible to use captured Bing credentials to tap data from Microsoft Office 365 applications. As the saying goes, everything is connected to everything else. Here's an outline of what just became known.
Advertising
The Bi(n)gBang in Azure
It's being called "the bug of the year", a misconfiguration allowed by Microsoft Azure, that opened a . Hillai Ben-Sasson touched on the subject on Twitter, and Jeremy Kirk points to the Wiz blog post BingBang: How a simple developer mistake could have led to Bing.com takeover in the following tweet.
Security researchers at Wiz describe a new attack vector they identified in Azure Active Directory (AAD) in the document in question. The attack vector is based on a common AAD misconfiguration that leaves misconfigured applications vulnerable to unauthorized access. This also affected the content management system (CMS) that powers Bing.com. As a result, security researchers were able to hijack Bing.com's functions. Subsequently, Bing.com search results could be changed. Furthermore, the security researchers suspect that the theft of Office 365 credentials from millions of Bing users was possible. These credentials, in turn, granted access to users' private emails and documents. The security researchers have given the vulnerability the name BigBang (ok, they named it BingBang, but I prefere BigBang).
Azure Single Sign On (SSO)
Microsoft offers its own SSO (Single Sign On) service in Azure. Azure Active Directory (AAD) is the most common authentication mechanism for applications created in Azure App Services or Azure Functions. Actually, all users who have used any online service from Microsoft have seen the login page below. You log in to your Microsoft account using email and password (or 2FA) and gain access to the services.
Advertising
In this context, AAD offers different types of account access: multi-tenant, personal accounts, or a combination of the latter two. For multi-tenant apps, only users from the same tenant can issue an OAuth token for the app. For multi-tenant apps, on the other hand, any Azure tenant can issue an OAuth token for them. As a result, app developers need to review the tokens in their code and decide which user is allowed to log in.
Confusing responsibilities
With managed Azure App services and Azure functions, developers can add an authentication with a click of a button to a service (see the following figure). The impact of the complicated Azure SSO architecture is not always clear to app developers, and the responsibility for validating end-user tokens is often also not clear.
Identy Provider (Source: Wiz)
As a result, configuration and validation faults are common. This is because the service only ensures the validity of the authentication token. It is usually not clear to the developers and administrators of the applications and services that they have the responsibility to validate the identity of the user via OAuth and only then allow the appropriate access.
With single-tenant authentication, the impact is limited to the tenant of the application – the security researchers writes. All users of the same tenant can connect to the application/service. However, it becomes critical for multi-tenant applications. This is because any Azure user can log in to the application with the authentication token without proper validation.
Bing Trivia and the Bi(n)gBang
Recognizing these problems and their potential impact, the security researchers began scanning the Internet for open applications. The results were surprising: 25% of all multi-tenant applications scanned by the security researchers were vulnerable to a so-called authentication bypass, i.e. the user's authentication was not sufficiently checked.
Surprisingly, the application developed by Microsoft itself called "Bing Trivia" was also on the list of vulnerable products. Since this app was misconfigured, the researchers were able to log into it using their own Azure user. Then they found a content management system (CMS) linked to Bing.com.
To verify that this CMS was indeed driving Bing's live results, they selected a keyword in the CMS and temporarily changed its content. They changed a keyword in the CMS to a custom term and found that this change was output in the live Bing.com search results. The manipulated results with title, thumbnail and arbitrary link immediately appeared on Bing.com (see the following image with the original bing.com search result and the manipulated result).
Bing.com results: Original left, manipulated right, source: Wiz
This was already the first "JackPot," as a malicious actor landing on the Bing Trivia app page could have manipulated any search term and launched misinformation campaigns, linked to malware pages, and spoofed and impersonated other websites.
Steal Office 365 credentials from Bing users
But it goes further. The Wiz security researchers tested whether cross-site scripting (XSS) attacks on Office 365 applications were also possible from bing.com. In a cross-site scripting (XSS) attack, malicious scripts are injected into a trusted website.
In their experiments, the Wiz folks found that they could compromise the Office 365 token of any Bing user with their XSS-injected scripts. That hit the researchers' next jackpot, because bing.com and Office 365 are integrated with each other. Bing has what is called a "Work" area. This allows users to search their Office 365 data. To implement this feature, Bing communicates with Office 365 on behalf of the user logged-in. Researchers created an XSS payload for bing.com that steals users' Office 365 access tokens.
Such a stolen token could allow a potential attacker to access Bing users' Office 365 data. This includes access to Outlook emails, calendars, team messages, SharePoint documents and OneDrive files. Wiz security researchers limited tests to their own user; no tests were conducted with other Bing.com users.
A malicious actor with the same access could have hijacked the most popular Bing search results with the same payload and grabbed the sensitive data of millions of Office 365 users. That's the super-GAU – and couldn't have been prevented with the teasing ChatGPT integration in the offing. The security researchers reported their findings to the Microsoft Security Response Center (MSRC) and received a bug bounty award of $40,000. Microsoft applied a fix the same day, and published the support article Guidance on Potential Misconfiguration of Authorization of Multi-Tenant Applications that use Azure AD on March 29, 2023.
The bottom line: Some question
At this point, the question arises whether this vulnerability has not already been exploited. The number of hacks recently makes one wonder. And what also concerns me: How should this process be classified for European users in terms of the GDPR? If it was possible to access emails or appointments from Office 365 accounts, this is in my view a GDPR incident that would potentially have to be reported by companies that use this product.
And the other question that concerns me is: "Do people still have a grip on the cloud"? Development is becoming faster and faster, while IT structures are becoming more complex. The above facts show that a simple mistake by a developer can have critical consequences. As Wiz security researchers write, "The agility with which we work as cloud developers makes us vulnerable to mistakes, so we should anticipate the next inevitable incident. Our resilience as security teams depends on how we catch and mitigate these errors. Preventing accidental compromise should be a key pillar of any cloud security program." I'll end the last sentence with "Guys, you can forget this claim", because at this point "we were out of money", the person in charge had to go to the bathroom because of indigestion, and the CEO said "everything works, why spend more money". Or how do you see that?
