Researchers have discovered a misconfiguration in Azure Active Directory that exposed applications to unauthorized access, which could have led to a Bing.com takeover.
Microsoft’s AAD, a cloud-based identity and access management service supports different types of account access, including multi-tenant, where any user belonging to any Azure tenant can issue an OAuth token for them, unless proper restrictions are in place.
For multi-tenant applications, developers are responsible for checking a user’s original tenant and enforcing access policies to prevent unauthorized logins, but here in this case more than 25% of the multi-tenant apps accessible from the internet lack proper validation.
The issue persists because it is not evident to developers that they are responsible for validating user identity, leading to configuration and validation error.
One app was Bing Trivia, a Microsoft application that provided access to a content management system linked to Bing.com, which allowed to control results on Microsoft’s search engine.
Its been discovered that Bing and Office 365 were connected and that they could add a cross-site scripting payload to Bing.com, which allowed them to compromise the Office 365 token of any user that inturn provides access to a user’s Office 365 data, including emails, Teams messages, calendar entries, and SharePoint and OneDrive files.
Other applications such as Mag News, Centralized Notification Service (CNS) API, Contact Center, PoliCheck, Power Automate Blog, and the file management system COSMOS impacted by this misconfiguration.
It’s recommended that all admins check their application configurations to ensure that multi-tenant access is properly configured or switched to single-tenant authentication if multi-tenancy is not required.
This research was documented by researchers from Wiz and shared the findings with Microsoft, and it addressed the initial Bing issue on January 2023 and patched the vulnerable applications in February 2023.
Reference: Security Week.