Microsoft's Bing has been getting a lot more attention in the past couple of months than it had in most of the search engine's lifetime, thanks to the launch of Bing Chat. However, before the reveal of the chatbot, a security research firm called Wiz found a major security flaw in Bing that would have allowed hackers to get personal information and even alter search results.
Wiz's Hillai Ben-Sasson posted a Twitter thread with the team's findings this week, as reported by The Wall Street Journal. It started in January when Wiz found a "strange configuration in Azure". Ben-Sasson was able to exploit this configuration to get into Microsoft's Bing Trivia feature. However, he soon learned he could use this feature to actually make changes to Bing's search results.
The flaw also allowed Wiz to "issue Office tokens for any logged-on user" That means hackers could have used this exploit to get personal information from Bing users, including Outlook emails, Teams chats, and more. As Wiz's chief technology officer Ami Luttwak told The Wall Street Journal, "It could have been a nation-state trying to influence public opinion or a financially motivated hacker."
The good news is that Microsoft has now fixed the issues that Wiz reported in Azure and Bing. In its own blog post on this issue, it stated:
Azure AD has been updated to stop issuing access tokens to clients that are not registered in the resource tenants. This prevents this issue from happening even if an application does not correctly handle the authorization check.
In addition, Ben-Sasson stated on Twitter that Microsoft awarded Wiz a $40,000 bounty for discovering and reporting the flaws
2 Comments - Add comment