I hacked into a @bing CMS that allowed me to alter search results and take over millions of @Office365 accounts. How did I do it? Well, it all started with a simple click in @Azure… 👀 This is the story of #BingBang 🧵⬇️
@laacz tvītu arhīvs
Sakarā ar to, ka Twitter ir slēdzis bezmaksas piekļuves savam API, šis projekts var tikt uzskatīts par mirušu sākot ar 2023. gada 15. jūniju.
Šis ir tvitera pavediens. No senākā uz svaigāko. Tvītu skaits: 10
My research started when our Research Team at @wiz_io first noticed a strange configuration in Azuree. A single checkbox is all that separates an app from becoming “multi-tenant” – which by default, allows ALL USERS to log in.
I found a Microsoft appp configured like this, and… just logged in 🤷🏻♂️ My user was immediately granted access to this “Bing Trivia” page. Don’t let the name fool you – it controls much more than just trivia. In fact, as I came to find out, it can control ACTUAL SEARCH RESULTS 🤯
I started looking around to realize the app’s purpose and why I had access. I then found a section that contained some keywords and corresponding search results, which raised the question – could this app actually modify search results on http://Bing.com? 🔎
I tested this theory by selecting the “best soundtracks” keyword and switching the first result from “Dunee (2021)” to my personal favorite, “Hackerss (1995)”. I was surprised to see this result immediately appear on http://Bing.com!
I then checked for XSSS viability, by adding a harmless payload into my new result. I refreshed the page, and my payload successfully executed! I quickly reverted my changes and reported everything to Microsoftt, but one question remained on my mind – what can I do with this XSS?
When inspecting Bingg requests, I noticed an endpoint being used for Office 365 communications. As it turns out, Bingg is allowed to issue Office tokens for any logged-on user. I quickly crafted an XSSS payload utilizing this functionality, tested it on myself, and it worked!
With this token, an attacker could fetch: Outlook emails ✉️ Calendars 📅 Teams messages 💬 SharePoint documents 📄 OneDrivee files 📁 And more, from any Bing user! Here you can see my personal inbox being read on our “attacker machine”, using the exfiltrated Bingg token:
@msftsecresponse quickly responded to our report, fixed the vulnerable applications, and introduced some AADD product and guidance changes to help customers mitigate this issue. For this, they awarded us with $40,000 bug bounty, which we will donate 💸
Read the full technical details here >> https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration