Security experts at Wiz recently identified numerous misconfigured Azure AD applications in public-facing corporate websites and some general-purpose applications. It is important to note that this is not a bug within Azure AD, but rather a result of developers not fully understanding certain functionality, including those at Microsoft.
In a specific instance involving Microsoft, Wiz researchers were able to ethically hack into the Bing search engine and successfully modify its search results. This feat was aptly dubbed “BingBang.” Furthermore, when combined with another attack method (XSS), it could be used to access sensitive information from any Office 365 user authenticated with Bing for the purpose of searching within corporate emails and other data. Microsoft reportedly rewarded the Wiz researchers with a $40,000 bug bounty for their discovery.
For those utilizing Azure AD, the question now is: how does this impact your environment? In short, if you have any Azure AD applications (third-party or your own) configured as multi-tenant, yes, your environment may be vulnerable. Begin by examining your Azure AD for potentially vulnerable applications using the following Azure CLI command:
az ad app list –filter “(signinaudience eq ‘AzureADMultipleOrgs’ or signinaudience eq ‘AzureADandPersonalMicrosoftAccount’)” –query “[?web && web.homePageUrl].{AppName:displayName, AppID:appId, AppURL:web.homePageUrl}”
If this query returns any results, assess each application individually. The most straightforward solution is to switch them to single-tenant authentication, which will disable access for external users. If specific external users need access, carefully review and configure the appropriate access levels.
About Action1
Action1 provides a risk-based patch management solution for distributed work-from-anywhere organizations. Action1 helps to discover, prioritize, and remediate vulnerabilities in a single solution to prevent security breaches and ransomware attacks. It automates patching of third-party applications, patching of operating systems, drivers, and firmware, ensuring continuous patch compliance and remediation of security vulnerabilities before they are exploited.