Bing vulnerability made it possible to alter search results

A major security exploit that let researchers change Bing search results was revealed this week.

The vulnerability was discovered in January by cybersecurity research company Wiz and reported to the Microsoft Security Response Center (MSRC).

In a Twitter thread, Wiz researcher Hillai Ben-Sasson explained how he was able to hack into Bing's content management system (CMS). By logging into Microsoft's cloud computing platform Azure, he discovered that he could grant all users access to internal Microsoft apps. He then accessed a database of Bing's search results. From there, Ben-Sasson figured out that he could actually modify what showed up in the results.

Wiz researchers also discovered that Bing was vulnerable to a Cross-Site Scripting (XSS) attack and discovered they had access to sensitive Office 365 data including Outlook emails, Calendar information, and Teams messages. MSRC detailed security updates and shared recommendations for Azure AD admins and developers in its blog post.

Mashable Light SpeedWant more out-of-this world tech, space and science stories?Sign up for Mashable's weekly Light Speed newsletter.By signing up you agree to our Terms of Use and Privacy Policy.Thanks for signing up!

SEE ALSO:Protect your privacy with the best free VPN

The purpose of the researchers' experiment was to show that it was possible and share its findings with Microsoft. But it shows how malicious hackers could have wreaked havoc for Bing.

---

Related Stories

---

• Oh great, Microsoft's Bing AI chatbot is getting more ads
• Microsoft threatens to cut-off rival AI chatbots from Bing data
• Bing vs. Bard: The ultimate AI chatbot showdown
• Meet Copilot, Microsoft's AI tool for work and productivity
• The ChatGPT bug exposed more private data than previously thought, OpenAI confirms

"A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leak sensitive data from millions of users," said the Wiz blog post. Luckily it was caught before any major damage was done.

Tweet may have been deleted

Microsoft confirmed that it has been fixed as of March 29. Wiz received a $40,000 "bug bounty" for reporting the vulnerability, which it it plans to donate to an unspecified recipient.

本文地址：http://x.zzzogryeb.bond/html/31d399804.html