Skip to main content
  1. Home
  2. Computing
  3. News

This Bing flaw let hackers change search results and steal your files

Alex Blake
By

A security researcher was recently able to change the top results in Microsoft’s Bing search engine and access any user’s private files, potentially putting millions of users at risk — and all it took was logging into an unsecured web page.

The exploit was discovered by researcher Hillai Ben-Sasson at their team at Wiz, a cloud security firm. According to Ben-Sasson, it would not only allow an attacker to change Bing search results but would also grant them access to millions of users’ private files and data.

The #BingBang - a Bing.com vulnerability discovered by Wiz Research

Dubbed BingBang by the research group, the vulnerability centered on Microsoft’s Azure Active Directory, which is used by enterprises to manage user identities and access to apps. Unfortunately, if an app is misconfigured, any Azure user in the world can log into it without the proper credentials.

Related

Shockingly, the researchers noted in a technical analysis of the bug that up to 25% of all multi-user apps they scanned were vulnerable — including a Microsoft app named Bing Trivia.

Recommended Videos

After exploiting the flaw to log into the Bing Trivia app, the Wiz team found a content management system (CMS) tied to Bing.com that was controlling the search engine’s live results. With a touch of humor, they then altered one of the entries, changing the top result for ‘best soundtracks’ from the Dune score to that from the 1995 movie Hackers.

However, there’s nothing funny about what this flaw implies. As the researchers explained, “a malicious actor landing on the Bing Trivia app page could therefore have tampered with any search term and launched misinformation campaigns, as well as phished and impersonated other websites.”

Stealing private files and emails

A comparison of Bing search results before and after the BingBang exploit was applied, showing how the list of recommended movie soundtracks could be altered.
Wiz

What’s more, the researchers were able to add a harmless cross-site scripting (XSS) payload into Bing while they were logged in. This was able to run as expected, without interference. After reporting the issue to Microsoft, the researchers tried modifying this XSS payload to see what was possible.

Because Bing integrates with Microsoft 365, the Wiz team was able to create a script that could potentially steal a logged-in user’s access tokens, granting them access to that user’s cloud data. That could include Outlook emails, calendars, Teams messages, OneDrive files, and more.

Put together, that means a hacker could have the power to redirect Bing search results to a malicious website, and at the same time harvest private data from any user logged in on a Microsoft 365 account. All from exploiting a simple login vulnerability.

Fortunately, the researchers immediately reported the flaw to Microsoft and it was patched shortly afterward, resulting in a $40,000 bug bounty reward. Yet it remains an alarming example of how little effort can be required to steal private data from millions of unsuspecting users.

Editors' Recommendations

Topics
Alex Blake
Alex Blake
Computing Writer
In ancient times, people like Alex would have been shunned for their nerdy ways and strange opinions on cheese. Today, he…
Microsoft will never win the search engine wars by forcing people to use Bing
bing wants to make it easier for you scope out a new neighborhood zoom in

Bing is known as the default search engine for Windows, and not much else. Microsoft's solution? To forcibly install a Bing search extension in Chrome for Office 365 ProPlus users.

The company says that this is designed for enterprise and business users to find relevant workplace information directly from the browser address bar, but we all know Microsoft is desperate to get more people using its search engine. It sounds harmless, but here's why forcing people to use Bing won't help Microsoft in the long run.
Bing has a bad track record
Marketing jargon aside, the idea that Microsoft has with this is simple. By forcing enterprises and businesses with Office 365 Pro Plus to use Bing, the overall share and usage of the search engine might increase. However, there's one problem. As it stands, Bing doesn't have a good track record, and people might not want to use it at all, even if forced to it.

Read more
Bing, Windows search evolve into new, cross-platform Microsoft Search
New Bing on its way

Microsoft is augmenting, upgrading, and ultimately evolving its search tools in Office, Windows, and on Bing, to something a little more unified. Like Windows itself, which has seen unification across multiple platforms, Microsoft is now maneuvering its search tools into a similar digital form factor. Microsoft Search, as it will be known, will be the main search tool for Microsoft Office, Windows itself, and the online Bing search platform.

In converting its search tool into something more widely applicable to different software and web platforms, Microsoft will also be making it smarter contextually. Searching in Bing or within Windows after the update will see a combination of web and local results display, each of which takes into consideration the user, the device they're on, and any applications they're running. Results may contain Windows commands, or quick links to certain application features, as well as personalized web search results.

Read more
Netgear router bug let hackers steal classified documents on drones, tanks
Netgear says exploit that led to stolen documents was fixed a long time ago
router exploit hacker steal military reaperdrone01

A U.S. Air Force MQ-9 Reaper drone. EthanMiller/GettyImages

Hackers have managed to gain entry to classified documents on an Air Force captain's computer after they exploited a known flaw in a Netgear router. Although the full extent of the data theft is still being quantified, the maintenance documents for the MQ-9 Reaper drone were stolen, as well as training manuals for the M1 Abrams tank, and defense tactics for tackling improvised explosive devices, were all found for sale on the dark web, Ars Technica reported. Netgear has since clarified to Digital Trends that the exploit used in the attack was fixed a long time ago in several firmware updates to its hardware.

Read more