4

I hacked into a @Bing CMS that allowed me to alter search results and take over...

 1 year ago
source link: https://nitter.net/hillai/status/1641146508639600646
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Hillai Ben-Sasson (@hillai): "I hacked into a @Bing CMS that allowed me to alter search results and take over millions of @Office365 accounts. How did I do it? Well, it all started with a simple click in @Azure… 👀 This is the story of #BingBang 🧵⬇️"

I hacked into a @Bing CMS that allowed me to alter search results and take over millions of @Office365 accounts. How did I do it? Well, it all started with a simple click in @Azure… 👀 This is the story of #BingBang 🧵⬇️
media%2FFsaE4VUWABEP_je.jpg%3Fname%3Dsmall%26format%3Dwebp

Mar 29, 2023 · 6:33 PM UTC

3,085
13,775
My research started when our Research Team at @wiz_io first noticed a strange configuration in Azure. A single checkbox is all that separates an app from becoming “multi-tenant” – which by default, allows ALL USERS to log in.
media%2FFsaE_vNWAAofS5T.jpg%3Fname%3Dsmall%26format%3Dwebp
I found a Microsoft app configured like this, and… just logged in 🤷🏻‍♂️ My user was immediately granted access to this “Bing Trivia” page. Don’t let the name fool you – it controls much more than just trivia. In fact, as I came to find out, it can control ACTUAL SEARCH RESULTS 🤯
media%2FFsaFEdZWAAcL3tw.jpg%3Fname%3Dsmall%26format%3Dwebp
I started looking around to realize the app’s purpose and why I had access. I then found a section that contained some keywords and corresponding search results, which raised the question – could this app actually modify search results on Bing.com? 🔎
I tested this theory by selecting the “best soundtracks” keyword and switching the first result from “Dune (2021)” to my personal favorite, “Hackers (1995)”. I was surprised to see this result immediately appear on Bing.com!
media%2FFsaFOHzWABYcan5.jpg%3Fname%3Dsmall%26format%3Dwebp
I then checked for XSS viability, by adding a harmless payload into my new result. I refreshed the page, and my payload successfully executed! I quickly reverted my changes and reported everything to Microsoft, but one question remained on my mind – what can I do with this XSS?
When inspecting Bing requests, I noticed an endpoint being used for Office 365 communications. As it turns out, Bing is allowed to issue Office tokens for any logged-on user. I quickly crafted an XSS payload utilizing this functionality, tested it on myself, and it worked!
media%2FFsaFa2rWAA4LnR_.jpg%3Fname%3Dsmall%26format%3Dwebp

With this token, an attacker could fetch:

Outlook emails ✉️ Calendars 📅 Teams messages 💬 SharePoint documents 📄 OneDrive files 📁 And more, from any Bing user!

Here you can see my personal inbox being read on our “attacker machine”, using the exfiltrated Bing token:

media%2FFsaFmKPWAAoQXxI.jpg%3Fname%3Dsmall%26format%3Dwebp
@msftsecresponse quickly responded to our report, fixed the vulnerable applications, and introduced some AAD product and guidance changes to help customers mitigate this issue. For this, they awarded us with $40,000 bug bounty, which we will donate 💸
media%2FFsaFqf9WABQpcbG.jpg%3Fname%3Dsmall%26format%3Dwebp
1,492

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK