Wiz Research discovered a new attack vector in Azure Active Directory that exposed misconfigured applications to unauthorized access.
These misconfigurations are fairly popular, especially with Azure App Services and Azure Functions. Based on our scans, about 25% of multi-tenant applications turned out to be vulnerable.
We found several high-impact, vulnerable Microsoft applications. One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users. Those attacks could compromise users’ personal data, including Outlook emails and SharePoint documents.
All issues were reported to the MSRC team. It fixed the vulnerable applications, updated customer guidance, and patched some AAD functionality to reduce customer exposure. MSRC’s blog can be found here.
To check whether your environment has been affected by this misconfiguration, please refer to the “Customer Remediation Guidelines” section of the blog.