Article Lead Image

rarrarorro/Shutterstock (Licensed)

Hacker uncovers backdoor that can change Bing’s top search results

Microsoft patched the issue and awarded the researcher $40,000.

 

Mikael Thalen

Tech

Posted on Mar 30, 2023   Updated on Mar 30, 2023, 11:03 am CDT

A vulnerability in Microsoft’s Bing search engine allowed a security researcher to alter the search results for millions of users.

The flaw, which has since been patched by Microsoft, was recently disclosed by Hillai Ben-Sasson, a researcher at the cloud security firm Wiz. Aside from altering search results, Ben-Sasson also revealed that the security bug granted him access to millions of Office 365 accounts.

“I hacked into a @Bing CMS that allowed me to alter search results and take over millions of @Office365 accounts,” he wrote. “How did I do it? Well, it all started with a simple click in @Azure…”

https://twitter.com/hillai/status/1641146508639600646?s=20

In a blog post on the matter, Ben-Sasson explains how a configuration option within Microsoft’s cloud computing service Azure gave him the ability to click “a simple checkbox” that permitted any and all users to log into an administrator panel.

“My research started when our Research Team at @wiz_io first noticed a strange configuration in Azure,” he tweeted. “A single checkbox is all that separates an app from becoming ‘multi-tenant’ – which by default, allows ALL USERS to log in.”

Ben-Sasson went on to test out the vulnerability and was able to change the top results on Bing for any users searching for the “best soundtracks.” In typical hacker fashion, the researcher changed the most popular soundtrack from the 2021 movie Dune to the 1995 movie Hackers.

“I tested this theory by selecting the ‘best soundtracks’ keyword and switching the first result from ‘Dune (2021)’ to my personal favorite, ‘Hackers (1995),'” he added. “I was surprised to see this result immediately appear on http://Bing.com!”

Not to be outdone, Ben-Sasson further demonstrated how he could obtain Outlook emails, calendars, Teams messages, OneDrive files, and more from any of Bing’s more than 100 million active daily users.

The Daily Dot reached out to Ben-Sasson for comment but did not receive a reply by press time.

After alerting Microsoft to the vulnerability, the tech company quickly issued a patch and awarded the researcher and his team $40,000 for finding the bug. Ben-Sasson says the award will be donated to charity.

Bing, which has long been ridiculed in comparison to Google, has seen a significant increase in users since it integrated OpenAI’s chatbot ChatGPT into its service.

web_crawlr
We crawl the web so you don’t have to.
Sign up for the Daily Dot newsletter to get the best and worst of the internet in your inbox every day.
Sign up now for free
Share this article
*First Published: Mar 30, 2023, 11:00 am CDT