Cyber security researchers were able to hijack Microsoft’s Bing search engine, changing search results and injecting code that could have stolen Office 365 data like emails and documents from millions of Microsoft customers.

Hiullai Ben-Sasson is a researcher with security firm Wiz. He couldn’t believe his eyes when a common Azure configuration let him log into a content management system that controlled Bing search results.

The issue started when he was looking through the setup of Azure Active Directory, Microsoft’s single sign-on product for authenticating users in cloud applications.

Developers can decide if they only want to authenticate users from within tenant, or if they want to open authentication to other directories including personal Microsoft accounts.

What the service does is check the validity of an authentication token, but it doesn’t “validate the user’s identity via OAuth claims and provision access accordingly”, Ben-Sasson said.

And if your web app is misconfigured to support multi-tenant authentication without the proper validation? Anyone with an Azure account can login.

Ben-Sasson immediately began scanning the internet for these applications and was surprised to find a quarter of all multi-tenant applications were exposed this way.

It was such a massive number of websites that the Wiz researchers lowered their sites to focus instead on Microsoft’s own tenant.

They created a new user in the Wiz tenant and tried logging into a domain called Bing Trivia – and it worked.

Just like that, Ben-Sasson and his colleagues owned the Bing backend and could change certain common results in the search engine’s carousel.

To test this, they navigated to the settings for the ‘best soundtracks’ search and implanted the 1995 film Hackers into its results.

They went one step further by testing if scripts could be injected into Bing queries – and they could, even allowing the researchers to hit an Office 365 API.

By targeting this API, they were able to take an authentication token from an account visiting the injected search result.

“This token enabled us, as ‘the attacker’, to fetch the victim’s Office 365 data including Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files,” Ben-Sasson said.

“A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leak sensitive data from millions of users.”

Bing is now more popular than ever thanks to the addition of an AI chatbot, reaching 100 million daily active users in early March.

Judging by screenshots in a video Wiz about the vulnerability, it appears the attack on Bing took place back in December 2022.

Even with only one billion pageviews a month, Ben-Sasson figured “millions of users could’ve been exposed to malicious search results and Office 365 data theft”.

When they informed Microsoft about the flaw, the tech giant rewarded Wiz with the humble sum of US$40,000 (which Wiz said it will donate).

In its own blog post about the vulnerability, Microsoft said Azure Active Directory was “updated to stop issuing tokens to clients that are not registered in the resource tenants” which it claims “prevents this issue from happening even if an application does not correctly handle the authorisation check”.

Microsoft encouraged developers to review the authorisation logic of multi-tenant applications and update deployment procedures.