Wiz Research discovered a new attack vector in Azure Active Directory (AAD) that exposed misconfigured applications to unauthorized access. These misconfigurations are popular with Azure App Services and Azure Functions. Based on scans, about 25% of multi-tenant applications turned out to be vulnerable.
Several high-impact vulnerable Microsoft applications were found, including a content management system (CMS) that powers Bing.com. This allowed researchers to modify search results and launch high-impact XSS attacks on Bing users, potentially compromising users’ personal data like Outlook emails and SharePoint documents.
Microsoft fixed the vulnerable applications, updated customer guidance, and patched some AAD functionality to reduce customer exposure.
Wiz Research demonstrated how Microsoft itself fell prey to AAD’s configuration challenges and inadvertently exposed internal applications to external attackers. These applications allowed researchers to view and change various types of sensitive Microsoft data. In one case, they manipulated search results on Bing.com and performed XSS attacks on Bing users, potentially exposing customers’ Office 365 data.
Azure Active Directory (AAD)
AAD is the most common authentication mechanism for apps created in Azure App Services or Azure Functions. It provides different types of account access: single-tenant, multi-tenant, personal accounts, or a combination of the latter two. With multi-tenant applications, the exposure is wide – without proper validation, any Azure user can log in to the application.
Wiz Research found that 25% of all the multi-tenant apps they scanned were vulnerable to authentication bypass.
The BingBang Case Study
Wiz Research focused on Microsoft’s own tenant and found several Microsoft apps with similar misconfigurations and exposure to anyone trying to log in. One of these was the Bing Trivia app, which allowed the researchers to alter Bing search results and perform XSS attacks on Bing users.
In addition to Bing Trivia, they found several other internal Microsoft apps with misconfigurations, including Mag News, CNS API, Contact Center, PoliCheck, Power Automate Blog, and COSMOS.
Microsoft fixed these issues in a timely manner and awarded Wiz Research a bug bounty of $40,000.
Customer Remediation Guidelines
To check whether your environment has been affected by this misconfiguration, administrators can use the Azure Portal or Azure CLI to query for multi-tenant applications. They can also switch to single-tenant authentication if their application doesn’t require multi-tenancy.
If external tenant access is needed, users can require user assignment, use conditional access policies, or implement claims-based authorization logic by performing token checks within their application code.
Microsoft recommends viewing your application logs and looking for any suspicious logins to know if this issue has been exploited.
Takeaways
This issue highlights the need for better understanding of cloud exposure and the shared responsibility between cloud service providers and users. Users must implement additional token validation and authentication in their application’s code to ensure authentication security.
Wiz Research urges anyone who owns multi-tenant apps to scan their environment with the guidelines provided above, as this issue is easily exploitable and severely impactful.
Read more at Wiz.io here.
