Skip to main content

This mega Microsoft security flaw could let hackers change Bing results, access Outlook emails

Web Hosting & Remote IT Support

Microsoft has patched a high-severity vulnerability in its Bing search engine, which allowed potential threat actors to not only alter search results, but also access people’s Office 365 data.

Cybersecurity researchers from Wiz discovered the flaw in January 2023, identifying it as a misconfiguration in the Azure Active Directory (AAD) identity and access management service in Microsoft's Azure cloud platform.

Asides from changing search engine results, the flaw could allow access to other people’s Office 365 data, such as Outlook emails, calendars, Teams messages, OneDrive files, and more.

A common occurrence

Some applications on Azure can use multi-tenant permission, and thus be accessible by any Azure user. That means developers need to set up a way to validate users and keep tabs on who gets to access what. According to The Verge, this is where many get it wrong, as misconfigurations in this respect are “a common occurrence.” Wiz says 25% of all multi-tenant apps it scanned did not have good validation.

This is exactly what happened to Bing Trivia, and that allowed the researchers to log in with their own Azure accounts. Once logged in, they were granted access to a content management system (CMS) which let them alter live search results from Bing. The researchers said that they didn’t do anything spectacular here - anyone who knew how to reach the Bing Trivia page could have done the same.

Read more

> Nearly all firms have some kind of cloud misconfiguration issue

 > Many data breaches are being caused by misconfigured clouds

 > Here's our list of the best endpoint security software

Besides altering search engine results, the researchers also discovered they were given access to other people’s Office 365 data, such as Outlook emails, calendars, Teams messages, OneDrive files, and more. The researchers tested it out on a mock email inbox and confirmed the vulnerability. But the vulnerability’s reach doesn’t end here - there are more than 1,000 apps and websites on Microsoft cloud that had similar abusable misconfigurations, such as Mag News, PoliCheck, Cosmos, and more.

“A potential attacker could have influenced Bing search results and compromised Microsoft 365 emails and data of millions of people,” Ami Luttwak, Wiz’s chief technology officer, told The Wall Street Journal. “It could have been a nation-state trying to influence public opinion or a financially motivated hacker.”

Microsoft was tipped off on January 31, and by March 20, addressed the vulnerability entirely. The researchers did not find any evidence of prior abuse.

Via: The Verge



via Hosting & Support
Labels:

Comments

Post a Comment

Web Hosting
Remote IT Support
Sites & Socials
Computing Handbook - $9.95

Popular posts from this blog

Microsoft, Google, and Meta have borrowed EV tech for the next big thing in data centers: 1MW watercooled racks

Web Hosting & Remote IT Support Liquid cooling isn't optional anymore, it's the only way to survive AI's thermal onslaught The jump to 400VDC borrows heavily from electric vehicle supply chains and design logic Google’s TPU supercomputers now run at gigawatt scale with 99.999% uptime As demand for artificial intelligence workloads intensifies, the physical infrastructure of data centers is undergoing rapid and radical transformation. The likes of Google, Microsoft, and Meta are now drawing on technologies initially developed for electric vehicles (EVs), particularly 400VDC systems, to address the dual challenges of high-density power delivery and thermal management. The emerging vision is of data center racks capable of delivering up to 1 megawatt of power, paired with liquid cooling systems engineered to manage the resulting heat. Borrowing EV technology for data center evolution The shift to 400VDC power distribution marks a decisive break from legacy sy...
Post a Comment
Read more

Google’s AI Mode can explain what you’re seeing even if you can’t

Web Hosting & Remote IT Support Google’s AI Mode now lets users upload images and photos to go with text queries The feature combines Google Gemini and Lens AI Mode can understand entire scenes, not just objects Google is adding a new dimension to its experimental AI Mode by connecting Google Lens's visual abilities with Gemini . AI Mode is a part of Google Search that can break down complex topics, compare options, and suggest follow-ups. Now, that search includes uploaded images and photos taken on your smartphone. The result is a way to search through images the way you would text but with much more complex and detailed answers than just putting a picture into reverse image search. You can literally snap a photo of a weird-looking kitchen tool and ask, “What is this, and how do I use it?” and get a helpful answer, complete with shopping links and YouTube demos. AI Eyes If you take a picture of a bookshelf, a plate of food, or the chaotic interior of your junk...
Post a Comment
Read more

Passing the torch to a new era of open source technology

Web Hosting & Remote IT Support The practice of developing publicly accessible technologies and preventing monopolies of privately-owned, closed-source infrastructure was a pivotal technological movement in the 1990s and 2000s. The open source software movement was viewed at the time as a form of ‘digital civil duty’, democratizing access to technology. However, while the movement's ethos underpins much of today’s technological landscape, its evolution has proven to be a challenge for its pioneers. Hurdles Facing Young Developers Open source models successfully paved a path for the development of a multitude of technologies, cultivating a culture of knowledge sharing, collaboration , and community along the way. Unfortunately, monetizing such projects has always been a challenge, and ensuring contributors are compensated for their contributions working on them, even more so. On the other hand, closed-source projects offer greater control, security, and competitive advant...
Post a Comment
Read more