“The root cause of the vulnerability arises from what’s called "Shared Responsibility confusion," wherein an Azure app can be inappropriately configured to enable users from any Microsoft tenant, leading to a potential case of unintended access.”

Microsoft has rectified a misconfiguration loophole that was affecting the Azure Active Directory (AAD) identity and access management service that brought down multiple “high-impact” applications to unauthorized access.

Also Read, Opti9 Launches Observr SaaS for Ransomware Detection Managed Services for Veeam Software

Cloud security firm, Wiz, said, "One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results but also launch high-impact XSS attacks on Bing users. Those attacks could compromise users' personal data, including Outlook emails and SharePoint documents."

Wiz reported these vulnerabilities to Microsoft in January and February 2022 and received a prize of $40, 000 from the tech giant. Microsoft fixed these issues subsequently.

The root cause of the vulnerability arises from what’s called "Shared Responsibility confusion," wherein an Azure app can be inappropriately configured to enable users from any Microsoft tenant, leading to a potential case of unintended access.

Interestingly a couple of internal apps by Microsoft were seen showing this behavior, thereby permitting external parties to get read and write to the impacted applications.

One of those apps is the Bing Trivia app, which the cybersecurity firm exploited to impact search results in Bing and even control the content on the homepage as part of a cyber attack chain dubbed BingBang.

To create worst situations, the exploit could be armored to accelerate a cross-site scripting (XSS) attack on Bing.com and draw out a victim’s Outlook emails, Team messages, calendars, SharePoint documents, and OneDrive files.