[ad_1]
Microsoft has patched a misconfiguration challenge impacting the Azure Active Directory (AAD) identification and entry administration service that uncovered a number of “high-impact” purposes to unauthorized entry.
“One of those apps is a content material administration system (CMS) that powers Bing.com and allowed us to not solely modify search outcomes, but additionally launch high-impact XSS assaults on Bing customers,” cloud safety agency Wiz stated in a report. “Those assaults may compromise customers’ private knowledge, together with Outlook emails and SharePoint paperwork.”
The points have been reported to Microsoft in January and February 2022, following which the tech big utilized fixes and awarded Wiz a $40,000 bug bounty. Redmond stated it discovered no proof that the misconfigurations have been exploited within the wild.
The crux of the vulnerability stems from what’s known as “Shared Responsibility confusion,” whereby an Azure app will be incorrectly configured to permit customers from any Microsoft tenant, resulting in a possible case of unintended entry.
Interestingly, a variety of Microsoft’s personal inside apps have been discovered to exhibit this habits, thereby allowing exterior events to acquire learn and write to the affected purposes.
This contains the Bing Trivia app, which the cybersecurity agency exploited to change search ends in Bing and even manipulate content material on the homepage as a part of an assault chain dubbed BingBang.
To make issues worse, the exploit could possibly be weaponized to set off a cross-site scripting (XSS) assault on Bing.com and extract a sufferer’s Outlook emails, calendars, Teams messages, SharePoint paperwork, and OneDrive recordsdata.
“A malicious actor with the identical entry may’ve hijacked the most well-liked search outcomes with the identical payload and leak delicate knowledge from tens of millions of customers,” Wiz researcher Hillai Ben-Sasson famous.
Other apps that have been discovered prone to the misconfiguration challenge embrace Mag News, Central Notification Service (CNS), Contact Center, PoliCheck, Power Automate Blog, and COSMOS.
Become an Incident Response Pro!
Unlock the secrets and techniques to bulletproof incident response – Master the 6-Phase course of with Asaf Perlman, Cynet’s IR Leader!
The growth comes as enterprise penetration testing agency NetSPI revealed particulars of a cross-tenant vulnerability in Power Platform connectors that could possibly be abused to achieve entry to delicate knowledge.
Following accountable disclosure in September 2022, the deserialization vulnerability was resolved by Microsoft in December 2022.
The analysis additionally follows the discharge of patches to remediate Super FabriXss (CVE-2023-23383, CVSS rating: 8.2), a mirrored XSS vulnerability in Azure Service Fabric Explorer (SFX) that would result in unauthenticated distant code execution.