Microsoft Mostly Fixes Azure Active Directory 'BingBang' App Misconfigurations
Microsoft on Wednesday confirmed that it has addressed a so-called "BingBang" security issue that affected "small number of our internal applications" due to Azure Active Directory authorization misconfigurations.
BingBang is the name that researchers at Wiz gave to the security vulnerability that they discovered, which was duly reported to Microsoft. The issues with Microsoft's apps have since been addressed, for the most part. What the Wiz team found is now outlined in this March 29 Wiz blog post.
The application authorization misconfigurations had "allowed external parties read and write access to the impacted applications," Microsoft's announcement indicated. The misconfigurations were corrected and "additional authorization checks" were added. Microsoft also confirmed that "no unintended access had occurred," which seems to mean that no other parties besides the Wiz security team had exploited the misconfigurations.
Access to Office 365 User Data
The security researchers at Wiz offered more details vs. Microsoft's account. They found that they could leverage Microsoft's app misconfigurations to alter Bing search results and gain access to the personal data of Office 365 users.
The security researchers at Wiz explained that they had first tapped Microsoft's misconfigured Bing Trivia app to alter Bing search results. Next, the Wiz researchers were able to leverage Bing search's integration with Office 365 user data to steal Office 365 user access tokens.
The stolen access tokens could permit an attacker to "access Bing users' Office 365 data, including Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files," the Wiz researchers explained.
The misconfigurations likely occurred because developers can be confused when it comes to associating their multitenant apps with Azure AD -- including Microsoft's own developers. The Wiz researchers performed a general scan for other such misconfigured apps and found that "approximately 25%" of multitenant apps were vulnerable to their attack methods.
No code was needed to carry out the attack, and the Wiz researchers just compromised one of their own accounts during their security probes. They promptly reported the flaws to Microsoft after discovering the extent of the problem.
The app misconfigurations, if unfixed, would have permitted any Azure user to do things like alter Bing search content or steal Office 365 tokens. Here's how the Wiz team explained that circumstance:
AAD provides different types of account access: single-tenant, multi-tenant, personal accounts, or a combination of the latter two. A multi-tenant app allows logins from any user belonging to any Azure tenant. In a multi-tenant app, it is the developer’s responsibility to check the user’s original tenant and provision access accordingly. If they do not properly validate this information, any Azure user in the world could log in to the app.
Actions Needed by IT Pros and Devs
Microsoft's announcement indicated that "Azure AD has been updated to stop issuing access tokens to clients that are not registered in the resource tenants." This change addressed the problem for "more than 99% of customer applications."
For the remainder of the needed fixes, Microsoft sent instructions to Global Admins on what to do.
For instance, organizations using multitenant applications with Azure AD should inventory them to determine if they need to be used outside of the registered tenant. They should monitor sign-in logs and "use the 'Assignment required' feature to restrict access to only entities that are explicitly assigned to a resource app." Lastly, Microsoft recommended implementing conditional access policies to control "external access to resources in your tenant."
Microsoft also included instructions to developers to avoid such multitenant app misconfigurations.
About the Author
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.