Misconfigured Azure Active Directory (AAD) Could Lead to Unauthorized Access and Bing Takeover
Recently, cybersecurity company Wiz discovered a misconfiguration issue in Azure Active Directory (AAD) that resulted in unauthorized access to several applications, which could have also led to a Bing.com takeover.
Azure Active Directory (AAD) is a cloud-based Microsoft identity and access management (IAM) service. AAD is commonly used for authenticating Azure applications and offers various types of account access. Multi-tenant access is one of the options. Using it without proper restrictions could allow any user from any Azure tenant to issue an OAuth token, creating a security risk.
Researcher Hillai Ben-Sasson explained that by checking a single option, an application could become multi-tenant, allowing all users to log in by default.
To mitigate the risk of unauthorized access to multi-tenant applications, developers must verify a user’s original tenant and enforce access policies.
Cybersecurity researchers found that more than 25% of multi-tenant applications online exhibit a lack of proper validation because developers were not made aware that they are responsible for ensuring user identity.
Misconfigured Microsoft Applications
Researchers gained access to Microsoft’s Bing Trivia application, which provides access to a content management system (CMS) linked to Bing.com. In an attack dubbed “BigBang,” this enabled them to control search engine results.
Any search term could be altered by a malicious actor who gains unauthorized access to the Bing Trivia application’s page. They could also share false information, phish for information, and impersonate other websites.
After conducting further research, the researchers found that Bing and Office 365 were linked, and by adding a cross-site scripting (XSS) payload to Bing.com, they could compromise the Office 365 token of any user.
This gave them access to the user’s Office 365 data, including emails, Teams messages, calendar entries, SharePoint, and OneDrive files. If a malicious actor had the same access, they could have taken control of the most popular search results and exposed the sensitive information of millions of users.
Other Microsoft applications affected by the misconfiguration were Mag News, Centralized Notification Service (CNS) API, Contact Center, PoliCheck, Power Automate Blog, and COSMOS.
The researchers noted that any organization with Azure Active Directory applications configured as multi-tenant but lacking authorization checks might be vulnerable to such issues.
Administrators should review their application configurations and ensure that multi-tenant access is correctly configured or switch to single-tenant authentication if not required.
Microsoft addressed the Bing issue on the same day it was reported and fixed the vulnerable applications in late February, offering a $40,000 bug bounty reward.
It is worth noting that this is not the first time a misconfigured Microsoft Azure endpoint has caused a data breach.
SOCRadar discovered and reported the BlueBleed data breach that occurred in October of last year. The breach was caused by a vulnerability in an open-source software framework used by a misconfigured Microsoft Azure endpoint, which exposed data from 150,000 companies across 123 countries.
Recommendations
To test if your application is vulnerable, log in as a user from a different Azure tenant than your own. A successful login indicates that your application is vulnerable.
It is advised to perform the following actions to resolve the problem:
If your application does not require multi-tenancy, switch to single-tenant authentication by going to your app’s page. This eliminates the risk of unauthorized access from other tenants.
If your app needs to grant external tenant access, consider the following options:
- Require user assignment or use conditional access policies to limit access to authorized users only.
- Implement claims-based authorization logic by performing token checks within your application code.
It is also recommended to check logs for past activity on vulnerable applications.