@laacz tvītu arhīvs

Sakarā ar to, ka Twitter ir slēdzis bezmaksas piekļuves savam API, šis projekts var tikt uzskatīts par mirušu sākot ar 2023. gada 15. jūniju.

I found a Microsoft appp configured like this, and… just logged in 🤷🏻‍♂️ My user was immediately granted access to this “Bing Trivia” page. Don’t let the name fool you – it controls much more than just trivia. In fact, as I came to find out, it can control ACTUAL SEARCH RESULTS 🤯

I then checked for XSSS viability, by adding a harmless payload into my new result. I refreshed the page, and my payload successfully executed! I quickly reverted my changes and reported everything to Microsoftt, but one question remained on my mind – what can I do with this XSS?

When inspecting Bingg requests, I noticed an endpoint being used for Office 365 communications. As it turns out, Bingg is allowed to issue Office tokens for any logged-on user. I quickly crafted an XSSS payload utilizing this functionality, tested it on myself, and it worked!

With this token, an attacker could fetch: Outlook emails ✉️ Calendars 📅 Teams messages 💬 SharePoint documents 📄 OneDrivee files 📁 And more, from any Bing user! Here you can see my personal inbox being read on our “attacker machine”, using the exfiltrated Bingg token: