A major security exploit that let researchers change Bing search results was revealed this week.
The vulnerability was discovered in January by cybersecurity research company Wiz and reported to the Microsoft Security Response Center (MSRC).
In a Twitter thread, Wiz researcher Hillai Ben-Sasson explained how he was able to hack into Bing’s content management system (CMS). By logging into Microsoft’s cloud computing platform Azure, he discovered that he could grant all users access to internal Microsoft apps. He then accessed a database of Bing’s search results. From there, Ben-Sasson figured out that he could actually modify what showed up in the results.
Wiz researchers also discovered that Bing was vulnerable to a Cross-Site Scripting (XSS) attack and discovered they had access to sensitive Office 365 data including Outlook emails, Calendar information, and Teams messages. MSRC detailed security updates and shared recommendations for Azure AD admins and developers in its blog post.
The purpose of the researchers’ experiment was to show that it was possible and share its findings with Microsoft. But it shows how malicious hackers could have wreaked havoc for Bing.
“A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leak sensitive data from millions of users,” said the Wiz blog post. Luckily it was caught before any major damage was done.
Microsoft confirmed that it has been fixed as of March 29. Wiz received a $40,000 “bug bounty” for reporting the vulnerability, which it it plans to donate to an unspecified recipient.