Microsoft's Bing is slowly gaining traction among users courtesy of its GPT-4-powered avatar
Microsoft's Bing is slowly gaining traction among users courtesy of its GPT-4-powered avatar
Share:

USA: Microsoft's Bing is slowly gaining popularity among users thanks to its GPT-4-powered incarnation, after spending years in relative obscurity. However, a vulnerability discovered by Viz Research and Hillai Ben-Sasson could have halted the search engine's meteoric rise to fame. Microsoft later fixed the problem, but the bug had a significant impact on Bing. Take a look at what happened.

Threats can use any problems with cloud-based identity providers to disrupt a business. In the case of Bing, its vulnerability is caused by Azure Active Directory (AAD).

Things would have been worse if the bug had been discovered earlier by a threat actor. Perhaps Bing's hopes of competing effectively with Google Search have also been dashed.

Also Read: The iPhone stand from Tensegrity appears to float in the air

The AAD configuration and validation errors were discovered by Viz Research. Making the app multi-tenant through an option in "App Registration" will make it available to all users. So any Azure user will be able to use any application.

Further investigation by Viz Research revealed that this issue affects 25% of all multi-tenant apps.

He found a website called bingtrivia.azurewebsites.net.

Bing Trivia was accessible to Wiz Research, but it was not a tenant of Microsoft. Even though it initially appeared to be a standard CMS (Content Management System), Viz Research's analysis revealed several sections related to essential Bing content.

One section contained certain keywords and associated search results. This is where the story of "Bingbang" began.

Also Read: Apple releases updates for iPadOS 16.4 and iOS 16.4

By changing the content of a carousel in the CMS, Wiz Research was able to influence search results on Bing. He substituted Hackers for Dune as the first item in the "best soundtrack" query.

Then, using a secure payload, they tested for XSS (cross-site scripting). Payload executed successfully. The information on Bing's home page was also open to modification.

According to Wiz Research, even Office 365 users were exposed. Any user who is logged in is eligible to receive an Office token from Bing. Through an endpoint used for Office 365 communications, the researchers created an XSS payload.

Also Read: Apple Music Classical  is now available for iPhone users to download

He tried it on himself, and it was successful. The token enables a threat actor to access a victim's OneDrive files, Teams messages, and Outlook email, among other things.

Wiz Research reported its findings to the Microsoft Security Response Center (MSRC). Wiz Research reports that the MSRC has taken note of all of their recommendations. As a bug bounty, MSRC paid them $40,000 for their work.

Share:
Join NewsTrack Whatsapp group
Related News