![]() ![]() Keep AV signatures, operating systems, and third-party applications up to date on all systems, mobile devices, and servers.Ī Misconfigured Microsoft Bing Application Allows to Breach the Office 365 UsersFor their entire existence, some of the world's most widely used email encryption tools have been vulnerable to hacks that allowed attackers to spoof the digital signature of just about any person with a public key, a researcher said Wednesday. System administrators should regularly take backups of the applications, databases, and all critical data. Users should not download, accept, or execute files and do not visit websites or follow links provided by unknown or untrusted sources. Users should not download suspicious applications and attachments received over the internet and be alert to social engineering and phishing attacks. Security administrators are recommended to make sure that all applications, databases, servers, and network devices are periodically hardened and adequately configured. ![]() Security administrators should apply the Principle of Least Privilege to all systems and services. In response, the company confirmed that it was fixed on March 28, 2023, and says it has introduced security enhancements that prevent Azure AD misconfiguration issues from becoming a problem again.ĭevelopers can follow Microsoft guidance and/or Wiz remediation for securing multi-tenant applications using the instructions provided in the following link: and. In addition, the XSS test conducted to compromise the Office 365 token of any Bing user that observed in the search results allowed them full access to the searchers' accounts which includes Outlook emails, calendar data, messages on Teams, SharePoint documents, and OneDrive files.Īfter identifying the risk in Microsoft’s application, Wiz's analysts reported the issue to Microsoft on January 31, 2023. As well as, researchers found a Content Management System (CMS) linked to, which allowed them to modify the live content shown in Bing search results. Interstingly, an app made by Microsoft itself named “Bing Trivia” was found misconfigured and allowed them to log-in into it with their Azure user. If it is properly validated this information, any Azure user in the world could log in to the app.Īfter detecting the issues, researchers initiated scanning for vulnerable applications (multi-tenant apps lacking proper validation) on the internet and found that approximately 25% of the multi-tenant apps were vulnerable. The configuration setting is called 'Support account types', allowing developers to specify whether a particular tenant should be allowed to access the application as multi-tenant, individual accounts, or a mix of multiple and individual accounts. Security researchers at IT security company Wiz have detected a new attack vector named 'BingBang' in Azure Active Directory (AAD) that compromised Microsoft’s application, and enabled researchers to take over functionality, modify search results, and steal credentials of Office 365 users.Īs per researchers, the attack is caused due to misconfigured Microsoft application and allowed to perform XSS Cross Site Scripting (XSS) attacks to potentially breach the Office 365 user accounts.
0 Comments
Leave a Reply. |