Bing is on the best run it’s had since its launch in 2009 after its integration with GPT-4, but it’s not all good news. Microsoft has patched a serious vulnerability that affected the browser and allowed alter the results offered and access personal data of users.
Hillai Ben Sassonresearcher at the cloud cybersecurity firm Wizdiscovered the vulnerability in January, according to The Wall Street Journal, and reported it to Microsoft, which this week posted an update on its blog reporting the correction made and the additional security measures taken.
Ben-Sasson, who has received a reward of $40,000 for her contribution, she has explained in a series of posts on Twitter that she came to her after finding a configuration “strange” on Azure, Microsoft’s cloud computing platform used by many products and services.
I hacked into a @Bing CMS that allowed me to alter search results and take over millions of @Office 365 accounts.
How did I do it? Well, it all started with a simple click in @Azure… 👀
This is the story of #Bing Bang 🧵⬇️ pic.twitter.com/9pydWvHhJs— Hillai Ben-Sasson (@hillai) March 29, 2023
Digging around, he found an app that used that setting and it turned out to be Bing Trivia. Despite its name, this is the CMS (Content Management System or content management system for a website) of bing.com and from which you can control search results, as he discovered after finding a section that contained a series of keywords used in searches next to the results that should appear. He checked that he could modify them and put what he wanted changing the search result “best soundtracks” and playing the movie “hackers” rather “Dune”. Immediately appeared as the first when searching for the information on Bing.
I tested this theory by selecting the “best soundtracks” keyword and switching the first result from “Dune (2021)” to my personal favorite, “Hackers (1995)”. I was surprised to see this result immediately appear on https://t.co/xQvddyiPr9! pic.twitter.com/DE0uohmwIP
— Hillai Ben-Sasson (@hillai) March 29, 2023
It also found that it was vulnerable to attacks of the type XSS and that by this method it was possible to access the personal data of Office365 users who entered their identifier in Bing. The information at risk included Outlook emails, Calendar, Teams messages, and files stored on OneDriveamong other elements.
According to Ami Luttwak, chief technology officer at Wiz, such a vulnerability could have been exploited by “a nation-state trying to influence public opinion or a financially motivated hacker”.
After receiving Ben-Sasson’s notice, Microsoft explains on its blog that it “corrected the incorrect configuration, added additional authorization checks to address the issue, and confirmed that no unwanted access had occurred”.
Discussion about this post