Microsoft is well-known for its dedication to security, but even the tech titan is not immune to flaws. Recently, a weakness in Microsoft's Azure Active Directory (AAD), a cloud-based identity and access management service, allowed hackers to hijack Bing search results and compromise Office 365 data.
This vulnerability is especially concerning because AAD is used to authenticate many Azure App Services and Azure Functions apps. As a result, the vulnerability could affect numerous organizations that use Microsoft's cloud services.
The vulnerability comes as a result of a failure to properly validate multi-tenant applications accessible via the internet. Developers are responsible for ensuring that users' original tenant information is checked to avoid unauthorized logins when creating multi-tenant applications. However, more than a quarter of the multi-tenant apps available over the internet are not properly validated. This places the onus on the developer to safeguard the security of their applications, and not all developers are aware of their duties when it comes to confirming user identity.
Wiz, a cybersecurity research firm, determined that Microsoft's own products were vulnerable to this type of attack, including Bing Trivia. Bing Trivia is a Microsoft software that gives you access to a content management system that is tied to Bing.com. The researchers discovered that they could manipulate search terms, start misinformation campaigns, and mimic websites.
The researchers discovered that Bing and Office 365 were linked, and that they could inject a cross-site scripting (XSS) payload into Bing.com, allowing them to compromise any user's Office 365 token. This gave them access to an individual's Office 365 data, including emails, Teams messages, calendar entries, and SharePoint and OneDrive files.
Wiz discovered that the same misconfiguration affected several internal Microsoft programmes, including Mag News, the Centralised Notification Service (CNS) API, Contact Centre, PoliCheck, Power Automate Blog, and the file management system COSMOS. The vulnerability was not confined to Microsoft's own applications, and any organization with Azure Active Directory applications configured as multi-tenant but without adequate authorisation checks may be vulnerable.
The first Bing issue was fixed by Microsoft the same day it was reported by Wiz, and the vulnerable applications were patched in late February. This week, Microsoft also announced a $40,000 bug bounty incentive. Administrators should, however, double-check their application configurations to ensure that multi-tenant access is properly enabled, or switch to single-tenant authentication if multi-tenancy isn't required. Checking logs for previous activity is also suggested for susceptible programmes.
The recent vulnerability in Microsoft's Azure Active Directory emphasizes the significance of effective security measures in cloud-based services. When it comes to authenticating user identity and access, developers and organizations must ensure that they understand their duties. As more businesses migrate to cloud-based services, it is critical that they maintain a watchful and proactive approach to security.
This blog was written by the Activated Solutions team. If you are a business owner or an individual concerned about your cybersecurity, it's time to take action. Activated Solutions can help you to protect your business and personal data from potential cyber threats.
Contact Activated Solutions today to learn more about how they can help you protect your business. With our expertise and commitment to cybersecurity, you can have peace of mind knowing that you are taking proactive steps to protect yourself and your business from potential data breaches.
For more information, please visit: activatedsolutions.ca.
Comments