Microsoft addressed a serious vulnerability that impacted the Azure Active Directory (ADD).
The ADD vulnerability impacted several crucial applications and could lead to unauthorized access. One of the exposed applications powers the Bing.com search engine. The vulnerability allowed for modifying search results and XSS attacks against Bing users, according to cloud security firm Wiz.
The attacks could compromise users’ personal data, such as Outlook emails and SharePoint documents. The vulnerabilities, reported to Microsoft in 2022, are now fixed, and Wiz was awarded a bug bounty in the amount of $40,000. Microsoft claims that the vulnerabilities haven’t been exploited in the wild.
ADD Vulnerabilities: Technical Overview
The issues are triggered by the so-called Shared Responsibility Confusion, meaning that Azure applications could be configured incorrectly to enable access from any Microsoft tenant.
“With single-tenant authentication, the impact is limited to the application’s tenant – all users from the same tenant could connect to the application. But with multi-tenant applications, the exposure is as wide as it gets – without proper validation, any Azure user will be able to log in to the application,” Wiz researchers explained.
Threat actors with the same access could have been able to tamper with the most popular search results and leak sensitive data from millions of users. Other vulnerable apps include Mag News, Central Notification Service, Contact Center, PoliCheck, Power Automate Blog, and COSMOS.