Big Bang . This has been called a security breach detected in Azure and Bing that allowed not only to modify the search results of the Microsoft search engine, but also to inject malicious code to steal all the personal information assigned to your Office 365 account, including data such as emails Outlook emails, calendar information, Teams conversations, or OneDrive files.
The method to carry out this vulnerability has fortunately been discovered by a security researcher and not a cybercriminal. The method to gain control of millions of Office 365 accounts was reported to the Microsoft Security Response Center , it has already been patched and that is why the modus operandi of this security hole is shared.
Bing search results hacked
Hillai Ben-Sasson, a researcher at Wiz Research, managed to modify the search results returned by Bing at will, an exploit he has dubbed BingBang . To do this, he managed to hack a Bing administration panel that gave access to more data than you might think.
The first step was to detect a strange configuration in Azure. A single checkbox is all that separates an application from becoming “multi-user”, which by default allows all users to log in .
After doing this, a Microsoft application configured in this way was found and logged in. Ben-Sasson’s user was granted immediate access to a CMS page called “Bing Trivia” , which controls more than meets the eye, including search results. As the researcher found a section that contained some keywords and the corresponding search results, the question arose: could this app modify the Bing search results?
Indeed, it was. That theory was tested by modifying the search results for “best soundtracks” and changing the first result from “Dune (2021)” to “Hackers (1995)”, with the change appearing instantly on Bing.
Office 365 account data was accessed
In addition to the danger of intentionally manipulating search results, it was decided to test the limits of this vulnerability and test the feasibility of Cross -site scripting ( XSS ), a Computer vulnerability or security hole typical of Web applications, which can allow a third party to inject JavaScript code or another similar language into web pages visited by the user.
To do this, a harmless payload was added to the new search result. After refreshing the page, that payload was executed successfully . Quickly, Ben-Sasson reverted the changes and reported everything to Microsoft, but one question remained on his mind: what can be done with this XSS?
Hillai Ben Sasson@hillaiI hacked into a @Bing CMS that allowed me to alter search results and take over millions of @Office365 accounts.
How did I do it? Well, it all started with a simple click in @Azure… 👀
This is the story of #BingBang 🧵⬇️ https://t.co/9pydWvHhJsMarch 29, 2023 • 20:338.5K
300
While inspecting the Bing requests, he noticed that an endpoint was used for Office 365 communications. It turns out that Bing can issue Office tokens to any signed-in user. Designed an XSS payload using this functionality and it worked.
The possibilities of this payload that could be injected into millions of Office 365 accounts included the following personal information associated with your Microsoft account : emails, calendars, Teams messages, SharePoint documents, OneDrive files, etc. And all applicable to any Bing user.
The Microsoft Security Response Center responded quickly to this security report, fixed the vulnerable applications , and made some changes to the Azure admin panel guide and product to help customers mitigate this issue. The vulnerability was of such magnitude that a bounty of $40,000 was even awarded, which the discoverers decided to donate.