Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Hillai Ben-Sasson Profile picture
Hillai Ben-Sasson
@hillai
Cloud Security Researcher @wiz_io ✦

Mar 29, 2023, 12 tweets

I hacked into a @bing CMS that allowed me to alter search results and take over millions of @Office365 accounts.
How did I do it? Well, it all started with a simple click in @Azure… 👀
This is the story of #BingBang 🧵⬇️

My research started when our Research Team at @wiz_io first noticed a strange configuration in Azure. A single checkbox is all that separates an app from becoming “multi-tenant” – which by default, allows ALL USERS to log in.

I found a Microsoft app configured like this, and… just logged in 🤷🏻‍♂️
My user was immediately granted access to this “Bing Trivia” page. Don’t let the name fool you – it controls much more than just trivia. In fact, as I came to find out, it can control ACTUAL SEARCH RESULTS 🤯

I started looking around to realize the app’s purpose and why I had access. I then found a section that contained some keywords and corresponding search results, which raised the question – could this app actually modify search results on Bing.com? 🔎

I tested this theory by selecting the “best soundtracks” keyword and switching the first result from “Dune (2021)” to my personal favorite, “Hackers (1995)”. I was surprised to see this result immediately appear on Bing.com!

I then checked for XSS viability, by adding a harmless payload into my new result. I refreshed the page, and my payload successfully executed! I quickly reverted my changes and reported everything to Microsoft, but one question remained on my mind – what can I do with this XSS?

When inspecting Bing requests, I noticed an endpoint being used for Office 365 communications. As it turns out, Bing is allowed to issue Office tokens for any logged-on user. I quickly crafted an XSS payload utilizing this functionality, tested it on myself, and it worked!

With this token, an attacker could fetch:

Outlook emails ✉️
Calendars 📅
Teams messages 💬
SharePoint documents 📄
OneDrive files 📁
And more, from any Bing user!

Here you can see my personal inbox being read on our “attacker machine”, using the exfiltrated Bing token:

@msftsecresponse quickly responded to our report, fixed the vulnerable applications, and introduced some AAD product and guidance changes to help customers mitigate this issue. For this, they awarded us with $40,000 bug bounty, which we will donate 💸

Read the full technical details here >>
wiz.io/blog/azure-act…

Check out our full attack flow here >>

Thank you to everyone who joined the discussion!

If you're interested in how we found this app, check out @shirtamari's thread:

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling