Hillai Ben-Sasson Profile picture
Mar 29, 2023 12 tweets 6 min read Read on X
I hacked into a @bing CMS that allowed me to alter search results and take over millions of @Office365 accounts.
How did I do it? Well, it all started with a simple click in @Azure… 👀
This is the story of #BingBang 🧵⬇️ Image
My research started when our Research Team at @wiz_io first noticed a strange configuration in Azure. A single checkbox is all that separates an app from becoming “multi-tenant” – which by default, allows ALL USERS to log in. Image
I found a Microsoft app configured like this, and… just logged in 🤷🏻‍♂️
My user was immediately granted access to this “Bing Trivia” page. Don’t let the name fool you – it controls much more than just trivia. In fact, as I came to find out, it can control ACTUAL SEARCH RESULTS 🤯 Image
I started looking around to realize the app’s purpose and why I had access. I then found a section that contained some keywords and corresponding search results, which raised the question – could this app actually modify search results on Bing.com? 🔎
I tested this theory by selecting the “best soundtracks” keyword and switching the first result from “Dune (2021)” to my personal favorite, “Hackers (1995)”. I was surprised to see this result immediately appear on Bing.com! Image
I then checked for XSS viability, by adding a harmless payload into my new result. I refreshed the page, and my payload successfully executed! I quickly reverted my changes and reported everything to Microsoft, but one question remained on my mind – what can I do with this XSS?
When inspecting Bing requests, I noticed an endpoint being used for Office 365 communications. As it turns out, Bing is allowed to issue Office tokens for any logged-on user. I quickly crafted an XSS payload utilizing this functionality, tested it on myself, and it worked! Image
With this token, an attacker could fetch:

Outlook emails ✉️
Calendars 📅
Teams messages 💬
SharePoint documents 📄
OneDrive files 📁
And more, from any Bing user!

Here you can see my personal inbox being read on our “attacker machine”, using the exfiltrated Bing token: Image
@msftsecresponse quickly responded to our report, fixed the vulnerable applications, and introduced some AAD product and guidance changes to help customers mitigate this issue. For this, they awarded us with $40,000 bug bounty, which we will donate 💸 Image
Read the full technical details here >>
wiz.io/blog/azure-act…
Check out our full attack flow here >>
Thank you to everyone who joined the discussion!

If you're interested in how we found this app, check out @shirtamari's thread:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Hillai Ben-Sasson

Hillai Ben-Sasson Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hillai

Jul 17
I hacked the @SAP AI platform by changing my UID to 1337.

…Yeah, really.

This led to admin permissions on several SAP systems, but also access to customers’ secrets and private AI files 👀

This is the story of #SAPwned 🧵⬇️ Image
SAP AI Core allowed me to run AI training procedures – but with heavy restrictions.

🚫 I couldn’t run as root
🚫 Interesting permissions were removed
🚫 Access to the internal network was blocked by an @IstioMesh firewall

So I wondered – how does this firewall actually work?
I started reading the traffic rules set by Istio.

All network traffic was redirected to the proxy.
Except… traffic by UID 1337? 🤨

Although I couldn’t be root, setting my UID to 1337 was still allowed. So that’s what I did.
Crazily enough… it worked! 🤯 Image
Read 6 tweets
Sep 18, 2023
We found a public AI repo on GitHub, exposing over 38TB of private files – including personal computer backups of @Microsoft employees 👨‍💻

How did it happen? 👀
A single misconfigured token in @Azure Storage is all it takes 🧵⬇️ Image
Microsoft’s AI research team published open-source training data using “SAS tokens” – sharable links granting access to Azure Storage data.

Only instead of limiting access to specific files, the token granted access to the ENTIRE account, including *18* storage containers 🤯 Image
Within these containers, our @wiz_io secret scan found:

*️⃣ Personal passwords for Microsoft services
🔑 Private keys
📄 Private source code and AI training data
💬 Over 30k internal @MicrosoftTeams messages Image
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(