Microsoft has patched a misconfiguration issue impacting the Azure Active Directory (AAD) identity and access management service that exposed several “high-impact” applications to unauthorized access.
The issues were reported to Microsoft in January and February 2022, following which the tech giant applied fixes and awarded Wiz a $40,000 bug bounty. Redmond said it found no evidence that the misconfigurations were exploited in the wild.
The crux of the vulnerability stems from what’s called “Shared Responsibility confusion,” wherein an Azure app can be incorrectly configured to allow users from any Microsoft tenant, leading to a potential case of unintended access.
This includes the Bing Trivia app, which the cybersecurity firm exploited to alter search results in Bing and even manipulate content on the homepage as part of an attack chain dubbed BingBang.
“A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leak sensitive data from millions of users,” Wiz researcher Hillai Ben-Sasson noted.
The development comes as enterprise penetration testing firm NetSPI revealed details of a cross-tenant vulnerability in Power Platform connectors that could be abused to gain access to sensitive data.
The research also follows the release of patches to remediate Super FabriXss (CVE-2023-23383, CVSS score: 8.2), a reflected XSS vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.
Source: https://thehackernews.com/
