A security researcher was able to place his own results at the top of Bing, Microsoft’s search engine, and add malware to them. He could have used it to steal access cookies from logged-in Office365 customers.
Azure Active Directory is offered by Microsoft as a cloud service, but is also used for internal identity management services. The security researcher was able to gain access to internal administration tools for the Bing search engine through a misconfiguration.
The advantages Azure AD offers, such as user authentication without programming effort and single sign-on, add a lot of value for administrators and developers. However, when cloud admins open up “multi-tenancy” they give attackers opportunities to enter.
Security researchers at Wiz found a vulnerable Azure app earlier this year and were able to gain access to Microsoft’s internal content management system via an AD login. This allowed them to make changes to search results published live on bing.com and also change the background image of the Bing home page.
Through this vulnerability, they managed to inject their own JavaScript code into the search engine, which was executed with its privileges. Using an Office365 API, Wiz employees were able to grab access tokens of the web-based Office suite and would have been able to steal emails, calendar entries, team messages and documents from Sharepoint and OneDrive.
The discoverers reported this finding to the Microsoft Security Response Center (MRSC), which applied a hotfix the same day. The security researchers received $40,000 for reporting the vulnerability. They plan to donate this money.
Those who use Azure AD should read the developers blog article, which also describes how to secure their own environment.