BingBang: AAD misconfiguration led to results manipulation and account takeover

We discussed this vulnerability during Episode 201 on 03 April 2023

At its core, we have a simple mistake that can be made pretty easily on all of the cloud platforms though this post focuses in on Azure App Services and Azure Functions. Being able to easily add authentication to your apps on either is nice, but they can easily be misconfigured. The added authentication only ensures the use can obtain/has presented a valid token, it is left to the application to actually validate the claims without that token. To ensure the user belong to the expected groups or has the right permissions. It is reasonably easy to add authentication but not take the extra steps to restrict it.

The authors, noticing this started scanning for Azure applications that require authentication, but do not validate the user has the appropriate claims. They discovered a number of vulnerability applications belonging to microsoft, from internal tools like Contract Center for manaing call center agents, COSMOS, a file manager with over 4 exabytes of data, and public facing Power Automate Blog’s WordPress admin panel.

The most impactful of these finds was the Bing Trivia app, despite its name it seems to manage some central aspects of Bing, importantly the Carousels section, which stores the carousels containing some search results. Like a search for best soundtracks has a carousels at the top containing some highly recommended movie soundtracks. The authors were able to add the 1995 movie Hackers as the top result.

They were also able to obtain XSS here (no many details probably but given the level of access, probably fairly straight forward), and could use that to steal a user’s Office 365 token and access all their OneDrive files, Teams messages, Outlook emails, etc. Pretty crazy impact, but misconfigurations can do that to you.