Skip to main content

This Bing flaw let hackers change search results and steal your files

A security researcher was recently able to change the top results in Microsoft’s Bing search engine and access any user’s private files, potentially putting millions of users at risk — and all it took was logging into an unsecured web page.

The exploit was discovered by researcher Hillai Ben-Sasson at their team at Wiz, a cloud security firm. According to Ben-Sasson, it would not only allow an attacker to change Bing search results but would also grant them access to millions of users’ private files and data.

The #BingBang - a vulnerability discovered by Wiz Research

Dubbed BingBang by the research group, the vulnerability centered on Microsoft’s Azure Active Directory, which is used by enterprises to manage user identities and access to apps. Unfortunately, if an app is misconfigured, any Azure user in the world can log into it without the proper credentials.

Shockingly, the researchers noted in a technical analysis of the bug that up to 25% of all multi-user apps they scanned were vulnerable — including a Microsoft app named Bing Trivia.

After exploiting the flaw to log into the Bing Trivia app, the Wiz team found a content management system (CMS) tied to that was controlling the search engine’s live results. With a touch of humor, they then altered one of the entries, changing the top result for ‘best soundtracks’ from the Dune score to that from the 1995 movie Hackers.

However, there’s nothing funny about what this flaw implies. As the researchers explained, “a malicious actor landing on the Bing Trivia app page could therefore have tampered with any search term and launched misinformation campaigns, as well as phished and impersonated other websites.”

Stealing private files and emails

A comparison of Bing search results before and after the BingBang exploit was applied, showing how the list of recommended movie soundtracks could be altered.

What’s more, the researchers were able to add a harmless cross-site scripting (XSS) payload into Bing while they were logged in. This was able to run as expected, without interference. After reporting the issue to Microsoft, the researchers tried modifying this XSS payload to see what was possible.

Because Bing integrates with Microsoft 365, the Wiz team was able to create a script that could potentially steal a logged-in user’s access tokens, granting them access to that user’s cloud data. That could include Outlook emails, calendars, Teams messages, OneDrive files, and more.

Put together, that means a hacker could have the power to redirect Bing search results to a malicious website, and at the same time harvest private data from any user logged in on a Microsoft 365 account. All from exploiting a simple login vulnerability.

Fortunately, the researchers immediately reported the flaw to Microsoft and it was patched shortly afterward, resulting in a $40,000 bug bounty reward. Yet it remains an alarming example of how little effort can be required to steal private data from millions of unsuspecting users.

Editors' Recommendations

Alex Blake
In ancient times, people like Alex would have been shunned for their nerdy ways and strange opinions on cheese. Today, he…
Hacker steals 1 billion people’s records in unprecedented data breach
A depiction of a hacker breaking into a system via the use of code.

An anonymous hacker has stated that he has successfully infiltrated the Shanghai police department’s database. In doing so, he apparently extracted personal information of a staggering one billion Chinese citizens.

The individual, 'ChinaDan', took sole responsibility for the data breach. As reported by Reuters and PCMag, he detailed the incident on hacker forum Breach Forums.

Read more
Hackers targeted AMD to steal huge 450GB of top-secret data
A depiction of a hacker breaking into a system via the use of code.

A data extortion group known as RansomHouse has asserted that it has stolen upwards of 450GB of sensitive data from AMD.

Team Red has since confirmed that it launched an investigation into the matter after the situation came to light.

Read more
Microsoft will never win the search engine wars by forcing people to use Bing
bing wants to make it easier for you scope out a new neighborhood zoom in

Bing is known as the default search engine for Windows, and not much else. Microsoft's solution? To forcibly install a Bing search extension in Chrome for Office 365 ProPlus users.

The company says that this is designed for enterprise and business users to find relevant workplace information directly from the browser address bar, but we all know Microsoft is desperate to get more people using its search engine. It sounds harmless, but here's why forcing people to use Bing won't help Microsoft in the long run.
Bing has a bad track record
Marketing jargon aside, the idea that Microsoft has with this is simple. By forcing enterprises and businesses with Office 365 Pro Plus to use Bing, the overall share and usage of the search engine might increase. However, there's one problem. As it stands, Bing doesn't have a good track record, and people might not want to use it at all, even if forced to it.

Read more