{"id":11498,"date":"2023-03-31T20:02:44","date_gmt":"2023-03-31T20:02:44","guid":{"rendered":"https:\/\/gustavopineda.com\/?p=11498"},"modified":"2023-03-31T20:02:44","modified_gmt":"2023-03-31T20:02:44","slug":"microsoft-security-flaw-altered-bing-search-results","status":"publish","type":"post","link":"https:\/\/gustavopineda.com\/?p=11498","title":{"rendered":"Bing vulnerability made it possible to alter search results"},"content":{"rendered":"<div><imgsrc=\"\" alt=\"Padlock on a circuit board\"><\/p>\n<p>A major security exploit that let researchers change Bing search results was revealed this week. <\/p>\n<p>The vulnerability was discovered in January by cybersecurity research company <a href=\"https:\/\/www.wiz.io\/blog\/azure-active-directory-bing-misconfiguration\" target=\"_blank\" rel=\"noopener\">Wiz<\/a> and reported to the Microsoft Security Response Center (MSRC). <\/p>\n<p>In a Twitter thread, Wiz researcher Hillai Ben-Sasson explained how he was able to hack into Bing&#8217;s content management system (CMS). By logging into Microsoft&#8217;s cloud computing platform Azure, he discovered that he could grant all users access to internal Microsoft apps. He then accessed a database of Bing&#8217;s search results. From there, Ben-Sasson figured out that he could actually modify what showed up in the results. <\/p>\n<p>Wiz researchers also discovered that Bing was vulnerable to a Cross-Site Scripting (XSS) attack and discovered they had access to sensitive Office 365 data including Outlook emails, Calendar information, and Teams messages. MSRC detailed security updates and shared recommendations for Azure AD admins and developers in its <a href=\"https:\/\/msrc.microsoft.com\/blog\/2023\/03\/guidance-on-potential-misconfiguration-of-authorization-of-multi-tenant-applications-that-use-azure-ad\/\" target=\"_blank\" rel=\"noopener\">blog post<\/a>. <\/p>\n<div class=\"mx-auto mt-8 w-full max-w-3xl font-sans text-lg leading-normal md:text-xl md:leading-7\">\n        <span class=\"font-bold text-primary-400\">SEE ALSO:<\/span><br \/>\n        <a href=\"https:\/\/mashable.com\/uk\/deals\/best-vpn-for-free\" class=\"text-secondary-300\"><br \/>\n            Protect your privacy with the best free VPN<br \/>\n            <svg class=\"inline-block ml-1 w-4 h-4 font-normal fill-current\"><use href=\"https:\/\/mashable.com\/images\/icons\/spritemap.svg#sprite-arrow-right-thin\"><\/use><\/svg><br \/>\n        <\/a>\n    <\/div>\n<p>The purpose of the researchers&#8217; experiment was to show that it was possible and share its findings with Microsoft. But it shows how malicious hackers could have wreaked havoc for Bing. <\/p>\n<p>&#8220;A malicious actor with the same access could\u2019ve hijacked the most popular search results with the same payload and leak sensitive data from millions of users,&#8221; said the Wiz blog post. Luckily it was caught before any major damage was done. <\/p>\n<blockquote class=\"twitter-tweet\"><p>\n    <a class=\"text-gray-600\" href=\"https:\/\/twitter.com\/hillai\/status\/1641146508639600646\" target=\"_blank\" rel=\"noopener\"><br \/>\n        Tweet may have been deleted<br \/>\n        <span class=\"sr-only\">(opens in a new tab)<\/span><br \/>\n    <\/a>\n<\/p><\/blockquote>\n<p><a href=\"https:\/\/mashable.com\/category\/microsoft\" target=\"_self\" rel=\"noopener\">Microsoft<\/a> <a href=\"https:\/\/msrc.microsoft.com\/blog\/2023\/03\/guidance-on-potential-misconfiguration-of-authorization-of-multi-tenant-applications-that-use-azure-ad\/\" target=\"_blank\" rel=\"noopener\">confirmed<\/a> that it has been fixed as of March 29. Wiz received a $40,000 &#8220;bug bounty&#8221; for reporting the vulnerability, which it it plans to donate to an unspecified recipient.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A major security exploit that let researchers change Bing search results was revealed this week. The vulnerability was discovered in January by cybersecurity research company Wiz and reported to the&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"registered_only","ping_status":"closed","sticky":false,"template":"","format":"gallery","meta":{"nf_dc_page":"","om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[17],"tags":[],"class_list":["post-11498","post","type-post","status-publish","format-gallery","hentry","category-technology","post_format-post-format-gallery"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/gustavopineda.com\/index.php?rest_route=\/wp\/v2\/posts\/11498","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gustavopineda.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gustavopineda.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gustavopineda.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gustavopineda.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11498"}],"version-history":[{"count":0,"href":"https:\/\/gustavopineda.com\/index.php?rest_route=\/wp\/v2\/posts\/11498\/revisions"}],"wp:attachment":[{"href":"https:\/\/gustavopineda.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11498"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gustavopineda.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11498"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gustavopineda.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11498"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}