Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Windows Central
Windows Central
Technology
Sean Endicott

Bing and millions of Microsoft 365 accounts were vulnerable to hackers due to the 'BingBang' vulnerability

Bing color shifted to red

What you need to know

  • Wiz Research discovered an issue within Microsoft Azure that left Bing and millions of Microsoft accounts vulnerable.
  • White hat hackers were able to change Bing search results and prove that it was possible to share an attack through the search engine.
  • The vulnerability was reported to Microsoft and fixed within one week of the new Bing powered by ChatGPT launching in preview.

Earlier this year, a vulnerability was discovered that put millions of Microsoft 365 accounts at risk. Security researchers at Wiz found a flaw in Azure that could be exploited to access Bing's CMS and gather private information from Microsoft apps, such as Teams, Outlook, and the Office suite.

Hillai Ben-Sasson, a cloud security researcher at Wiz, broke down how they were able to alter Bing search results and "take over millions of Office 365 accounts."

Below is the first tweet of an extensive thread about the exploit:

Wiz also has a blog post about the vulnerability, as well as a video.

Wiz discovered an attack vector in Azure Active Directory that if exploited would grant unauthorized access to misconfigured applications. Roughly 25% of multi-tenant applications were vulnerable, according to Wiz. The research firm highlighted that misconfigurations are common.

Several applications were at risk due to the vulnerability. Wiz was able to modify Bing search results and launch high-impact XSS attacks on users of Bing. If attacks such as those were successful, a threat actor could gain access to Outlook emails and SharePoint documents. OneDrive files, Outlook calendars, and Teams messages were also at risk of being exposed.

“A potential attacker could have influenced Bing search results and compromised Microsoft 365 emails and data of millions of people,” said Ami Luttwak, Wiz’s chief technology officer, to The Wall Street Journal. “It could have been a nation-state trying to influence public opinion or a financially motivated hacker.”

Wiz alerted Microsoft of the Bing vulnerability and the tech giant fixed it quickly. The research firm made Microsoft aware of other vulnerable applications on February 25, 2023. On March 20, 2023, Microsoft confirmed to Wiz that all of the related issues had been fixed.

In a way, the timing of the exploit being reported and fixed was a blessing for Microsoft. The vulnerability was reported on January 31, 2023 and fixed two days later on February 2, 2023. Microsoft announced the new Bing on February 7, 2023. If the vulnerability was left unpatched when the new search engine launched in preview, the number of potential victims would have been much higher.

Bing Chat helped the use of Microsoft's search engine to over 100 million daily active users.

While the reported vulnerability could have been exploited for years, according to Wiz, the company clarified that there was no evidence that it had been exploited.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.