{"id":623940,"date":"2023-03-31T09:49:25","date_gmt":"2023-03-31T14:49:25","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/03\/31\/this-bing-flaw-let-hackers-change-search-results-and-steal-your-files\/"},"modified":"2023-03-31T09:49:25","modified_gmt":"2023-03-31T14:49:25","slug":"this-bing-flaw-let-hackers-change-search-results-and-steal-your-files","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/03\/31\/this-bing-flaw-let-hackers-change-search-results-and-steal-your-files\/","title":{"rendered":"This Bing flaw let hackers change search results and steal your files"},"content":{"rendered":"
\n
\n

<\/p>\n

\n

\"Alex\t\t\t\t<\/p>\n<\/p><\/div>\n

\n


\n\t\t\t\tBy
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\tAlex Blake\t\t\t\t\t<\/a>
\n\t\t\t\t\t\t\t\t\t\t\t\t<\/span><\/p>\n

\t\t

<\/cite><\/p>\n<\/header>\n

\n

A security researcher was recently able to change the top results in Microsoft\u2019s Bing search engine<\/a> and access any user\u2019s private files, potentially putting millions of users at risk \u2014 and all it took was logging into an unsecured web page.<\/p>\n

The exploit was discovered by researcher Hillai Ben-Sasson at their team at Wiz, a cloud security firm. According to Ben-Sasson<\/a>, it would not only allow an attacker to change Bing search results but would also grant them access to millions of users\u2019 private files and data.<\/p>\n

\n

The #BingBang – a Bing.com vulnerability discovered by Wiz Research<\/p>\n<\/div>\n

Dubbed BingBang by the research group, the vulnerability centered on Microsoft\u2019s Azure Active Directory, which is used by enterprises to manage user identities and access to apps. Unfortunately, if an app is misconfigured, any Azure user in the world can log into it without the proper credentials.<\/p>\n

Shockingly, the researchers noted in a technical analysis<\/a> of the bug that up to 25% of all multi-user apps they scanned were vulnerable \u2014 including a Microsoft app named Bing Trivia.<\/p>\n

After exploiting the flaw to log into the Bing Trivia app, the Wiz team found a content management system (CMS) tied to Bing.com that was controlling the search engine\u2019s live results. With a touch of humor, they then altered one of the entries, changing the top result for \u2018best soundtracks\u2019 from the Dune score to that from the 1995 movie Hackers.<\/p>\n

However, there\u2019s nothing funny about what this flaw implies. As the researchers explained, \u201ca malicious actor landing on the Bing Trivia app page could therefore have tampered with any search term and launched misinformation campaigns, as well as phished and impersonated other websites.\u201d<\/p>\n

<\/a>Stealing private files and emails<\/h2>\n
\"A
Wiz<\/span><\/figcaption><\/figure>\n

What\u2019s more, the researchers were able to add a harmless cross-site scripting (XSS) payload into Bing while they were logged in. This was able to run as expected, without interference. After reporting the issue to Microsoft, the researchers tried modifying this XSS payload to see what was possible.<\/p>\n

Because Bing integrates with Microsoft 365<\/a>, the Wiz team was able to create a script that could potentially steal a logged-in user\u2019s access tokens, granting them access to that user\u2019s cloud data. That could include Outlook emails<\/a>, calendars, Teams messages, OneDrive files, and more.<\/p>\n

Put together, that means a hacker could have the power to redirect Bing search results to a malicious website, and at the same time harvest private data from any user logged in on a Microsoft 365 account. All from exploiting a simple login vulnerability.<\/p>\n

Fortunately, the researchers immediately reported the flaw to Microsoft and it was patched shortly afterward, resulting in a $40,000 bug bounty reward. Yet it remains an alarming example of how little effort can be required to steal private data from millions of unsuspecting users.<\/p>\n

\n\tEditors’ Recommendations<\/h4>\n