Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label AAD. Show all posts

A Microsoft Azure Flaw Could Compromise Bing and Office 365

 


Microsoft Azure Active Directory (Azure AD) appears vulnerable to a new vulnerability discovered by security researchers. It was discovered that a vulnerability in Bing search results allowed users to alter the results and view users' private information. This included Outlook emails, calendars, and Microsoft Teams messages stored. 

In the event of a misconfiguration in Azure Active Directory (AAD) in Microsoft's cloud-hosted applications, miscreants could have compromised Bing's search engine to subvert Microsoft's cloud-hosted services. The results could even be changed on the Bing home page if the request succeeds. Several user accounts were left vulnerable to theft and snooping, as well as Outlook emails, calendars, and Teams messages.  

An Azure Active Directory (Azure AD) misconfiguration has been identified by Wiz researchers as part of the BingBang campaign. The issue was discovered in January this year. 

Microsoft's multitenant applications in Azure AD were misconfigured due to misconfiguration in the database. A developer must perform additional authentication steps to prevent these applications from being logged into by any Azure user, as these applications allow users to log into them from anywhere. In AAD, apps can be single-tenant or multi-tenant, depending on this need and the user's choice. Azure users can log in to a multi-tenant application since it is multi-tenant. Developers are responsible for performing additional authorization checks and deciding which users are allowed to use the app, it is their responsibility to do so. 

Approximately 25 percent of the multi-tenant applications they examined contained errors as a result of a lack of proper validation, based on Wiz researchers' findings. The researchers logged into Bing Trivia the application by creating an account and signing in to their account. The project team found a Content Management System (CMS) to manage the content, and they modified the search query based on their favorite team, Hackers (1995), to be the first item in the search results, instead of Dune (2021). 

Security experts have also discovered that it is also possible to exploit this vulnerability to execute cross-site scripting attacks (XSS). 

Further, Bing's Work section offers users to search Office 365 data that has been authorized for use by other employees who also have access to Office 365 in their organization. Email, calendar, Teams messages, OneDrive files, and SharePoint documents are some of the items that are included in this group.   

Wiz researchers say several thousand cloud-based applications and websites are vulnerable. Mag News, Power Automated Blog, Contact Center, PoliCheck, and Cosmos are a few of the tools included in the Cosmos file management system and include Mag News.

In response to the change in search results, researchers wanted to see if this vulnerability could be exploited to conduct cross-site scripting (XSS) attacks, a form of malicious scripting that occurs when malicious scripts are injected into trusted Microsoft websites, causing them to run malicious scripts in a victim's browser. By executing the code in a victim's browser, an attacker would be able to access that victim's account, and if that code is successful, it could exfiltrate their data. In this case, the team poisoned a page so visitors would be able to see what they were supposed to see. 

It has been found that other internal Microsoft-managed apps that were misconfigured like Bing Trivia were delivered similarly using Wiz.  

There was also Mag News, another control panel that controlled MSN Newsletter, a Microsoft API for the Central Notification Service, and Contact Center, in addition to Mag News. In addition, there was a Microsoft internal tool called PoliCheck, used by the company to check for forbidden words in code. In addition, Wiz published fake posts on a Microsoft.com domain, which was secured through the WordPress admin panel. It contained more than four exabytes of data stored in a Microsoft Cosmos file storage system. 

Microsoft responded by issuing fixes for all of these applications and awarding Wiz a $40,000 bug bounty award as a result of the researchers discovering the vulnerabilities. 

It was reported by security researchers to Microsoft's Security Response Center on January 31, 2023, that the Bing vulnerability had been identified. The vulnerability has already been fixed in all affected applications by Microsoft as a result of updates released previously. It is important to note that no evidence has been found that attackers have exploited this vulnerability in the wild as a result of the flaw.  

The good news is that Microsoft has made some changes to its Azure Active Directory applications in an attempt to prevent misconfigurations in the future. To track suspicious activity and prevent security breaches, the Wiz team recommends IT administrators check app logs. 

Microsoft Cloud Users Hit by Global Outage

 

Microsoft has recognized a new change to an authentication system as a potential reason for a blackout that scourged clients of its cloud-based portfolio of productivity and back-office apps across the world. Client reports of technical problems with the software giant’s Microsoft 365 online productivity suite initially began arising around 7 pm on Monday 15 March 2021, as indicated by Downdetector's outage tracking data.

Microsoft updated its service health status page soon after and affirmed that clients might be encountering issues when attempting to get to the organization's key online collaboration, communication, and productivity tools. The organization proceeded to affirm that any service that depends on its cloud-based identity and access management service Azure Active Directory (AAD) might be affected. These incorporate the component services that make up Microsoft 365, like Outlook, Word, Excel, and PowerPoint, however, admittance to the association's wider portfolio of cloud services was also affected by the issues. 

As affirmed on the Microsoft status page, clients of its public cloud platform Azure, its business intelligence software Dynamics 365, and the Microsoft Managed Desktop service are additionally known to have encountered access issues. The organization additionally distributed a progression of updates for clients during the incident by means of its social media channels. 

These incorporated an affirmation that a new update to an authentication system had been recognized as causing issues that could be affecting clients around the world. As confirmation of this, the organization affirmed around 9.17 pm on 15 March that it was carrying out a “mitigation worldwide” to address the issue, with a full "remediation" expected within 60 minutes of its deployment. 

“Service health has improved across multiple Microsoft 365 services,” said a post on the Microsoft 365 Twitter account. “However, we are taking steps to resolve some isolated residual impact for services that are still experiencing impact.” The organization on 16th March published a further update on Twitter saying that the incident seemed to have been largely resolved. “Our monitoring indicates that the majority of the services have fully recovered,” it said. “However, we’re addressing a subset of services that are still experiencing some residual impact and delays in recovery.”