• BingBang: The AAD misconfiguration in Azure Active Directory

    Home » Forums » Cyber Security Information and Advisories » Cyber Security for Business users » BingBang: The AAD misconfiguration in Azure Active Directory

    • This topic has 0 replies, 1 voice, and was last updated 2 months ago.


    How Wiz Research found a common misconfiguration in Azure Active Directory that compromised multiple Microsoft applications, including a Bing management portal

    Executive summary
    Wiz Research discovered a new attack vector in Azure Active Directory that exposed misconfigured applications to unauthorized access.

    These misconfigurations are fairly popular, especially with Azure App Services and Azure Functions. Based on our scans, about 25% of multi-tenant applications turned out to be vulnerable.

    We found several high-impact, vulnerable Microsoft applications. One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users. Those attacks could compromise users’ personal data, including Outlook emails and SharePoint documents.

    All issues were reported to the MSRC team. It fixed the vulnerable applications, updated customer guidance, and patched some AAD functionality to reduce customer exposure. MSRC’s blog can be found here….

    To check whether your environment has been affected by this misconfiguration, please refer to the “Customer Remediation Guidelines” section of the blog…

    Reply To: BingBang: The AAD misconfiguration in Azure Active Directory

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: