A serious security flaw has been found in Bing search results. Fortunately, more fear than harm.
A serious security vulnerability was recently discovered. This allows experts to purposefully modify Bing search results. The vulnerability was discovered last January by cybersecurity company Wiz, who immediately reported it to the Microsoft Security Response Center (MSRC).
Serious security vulnerability found in Bing search results
In a Twitter conversation, Wiz researcher Hillay Ben-Sasson explained how he managed to hack Bing’s content management system (CMS). By connecting to the Microsoft Azure cloud platform, he found that he could give all users access to the firm’s internal applications from Redmond. He then accessed the Bing search results database. From there, Hillay Ben-Sasson found a way to change what appears in the results as desired.
Wiz researchers also discovered that Bing is vulnerable to a cross-site scripting (XSS) attack and found that they have access to sensitive Office 365 data, including Outlook emails, from the calendar, and messages from Teams. MSRC detailed the relevant security updates and shared its best practices for Azure developers and administrators in a blog post.
Fortunately, more fear than harm
The purpose of these researchers’ experiments was to show that this is possible and share it with Microsoft. But it also shows how hackers could harm Bing. βAn attacker with the same access could have hijacked the most popular search results using the same procedure and thereby leaked the data of millions of users,β the Wiz blog post says.
Fortunately, more fear than harm, so to speak, no serious damage seems to have been done. Microsoft confirmed that this vulnerability was patched over the weekend. And at the same time, Wiz received a $40,000 bounty from his bug-finding bounty program for reporting a bug. The company announced that it would donate it to an organization of its choice.
I hacked @Bing CMS, which allowed me to change search results and take over millions of @Office365 accounts.
How did I do it? Well, it all started with a simple click at @Azure β¦ π
This is the story of #BingBang π§΅β¬οΈ pic.twitter.com/9pydWvHhJs
β Hillai Ben-Sasson (@hillai) March 29, 2023