• btc = $65 806.00 683.32 (1.05 %)

  • eth = $3 580.61 38.69 (1.09 %)

  • ton = $7.20 0.30 (4.31 %)

  • btc = $65 806.00 683.32 (1.05 %)

  • eth = $3 580.61 38.69 (1.09 %)

  • ton = $7.20 0.30 (4.31 %)

30 Mar, 2023
1 min time to read

A vulnerability was found in Microsoft's Azure platform by researchers, which enabled users to gain access to private data from Office 365 applications such as Outlook, Teams, and OneDrive.

Earlier this year, a serious vulnerability was discovered in Microsoft's Bing search engine, allowing users to modify search results and access other users' private data from Teams, Outlook, and Office 365. Security researchers from Wiz found a misconfiguration in Azure, Microsoft's cloud computing platform, that compromised Bing, allowing unauthorized access to applications by any Azure user.

The vulnerability was found in the Azure Active Directory (AAD) identity and access management service, where developers are responsible for validating users' access to multi-tenant applications. Wiz claims that 25% of all multi-tenant apps lack proper validation, making misconfigurations a common occurrence.

Bing Trivia was one such app that researchers found to have a content management system (CMS) that allowed them to control live search results on Bing.com. By exploiting the vulnerability, Wiz showed that the exploit could be used to access other users' Office 365 data, including emails, calendars, Teams messages, SharePoint documents, and OneDrive files. Over 1,000 other apps and websites on Microsoft's cloud were discovered to have similar misconfiguration exploits.

Microsoft was informed of the Bing vulnerability on January 31st and fixed it on February 2nd. The other vulnerable applications were reported on February 25th, and Microsoft confirmed on March 20th that all reported issues had been fixed.

Bing has become increasingly popular, recently surpassing 100 million daily active users. If the vulnerability had not been patched, the dangerous security exploit could have affected millions of users. This vulnerability is being disclosed at the same time that Microsoft is marketing its new Microsoft Security Copilot cybersecurity solution to businesses. While Wiz has no evidence of previous exploitation, they suggest that organizations with Azure Active Directory applications should review their application logs for suspicious logins indicating a security breach.