Revealed! There’s a Weakness in Bing That Allows Hackers to Modify Search Results

As we know, Bing is currently getting more attention than in the past few years, which is thanks to the launch of Bing Chat in collaboration between Microsoft and OpenAI.

But prior to the unveiling of their new chatbot, a security research company called Wiz discovered a major security flaw in Bing that allowed hackers to obtain personal information and even modify search results.

Regarding this, Hillai Ben-Sasson of Wiz posted a thread on Twitter regarding its findings last week, as The Wall Street Journal reported, the issue started in January 2023 when Wiz discovered a “strange configuration in Azure” that Ben-Sasson was able to exploit this configuration to break into Microsoft’s Bing Trivia feature.

After testing, Ben finally found out that he could use this weakness to actually make changes to Bing search results as shown in the following image.

This vulnerability allows Wiz to issue Office tokens to every logged in user, which means, a hacker can use this exploit to obtain personal information from Bing users, including Outlook email, Chat in Microsoft Teams, and much more.

According to chief technology officer Wiz Ami Luttwak via The Wall Street Journal, this weakness can be used to influence public opinion or be used for other financial interests.

Bug Fixed!

Of course, when this news was leaked, of course the problem would have been resolved, because if not, there would be many people trying to find and look for loopholes from this weakness.

According to Microsoft’s official post, after they got the report from Wiz, they immediately fixed this problem on Azure and Bing as mentioned below:

"Azure AD telah diperbarui untuk berhenti mengeluarkan token akses ke klien yang tidak terdaftar di penyewa sumber daya. Ini mencegah masalah ini terjadi bahkan jika aplikasi tidak menangani pemeriksaan otorisasi dengan benar."

Did Wiz get a prize? oh obviously yes, because Ben Sasson is in his Twitter stated that Microsoft awarded Wiz a $40,000 USD Prize for finding and reporting the issue.

The prizes are certainly quite a lot, but they are comparable to what Wiz has found, bearing in mind that these weaknesses can be fatal if they are not fixed immediately.

What do you think? comment below guys.

via: The Wall StreetJournal, Neowin