Microsoft Patched Bing Vulnerability That Allowed Snooping On Email And Other Data

Microsoft Corp. MSFT 1.61% last month fixed a dangerous security issue in Bing days before it launched a new artificial intelligence-powered version of the search engine.

The problem was discovered by outside researchers at security firm Wiz Inc. It was created by a flaw in the way Microsoft configured applications on Azure, its cloud computing platform, and could be used to access people’s emails and other documents. that used Bing, the researchers said.

Microsoft fixed the issue on February 2, according to Ami Luttwak, Wiz’s chief technology officer. Five days later, Satya Nadella introduced the new generative AI capabilities to Bing, sparking renewed interest in Microsoft’s 14-year-old search engine. Bing usage has soared, rising to more than 100 million daily active users in the month since the upgrade, Microsoft said in a recent blog.

Microsoft has added generative AI capabilities to many of its software and services. The new Bing can help users find information using a chatbot backed by the technology behind ChatGPT.

Microsoft is adding the technology to its popular Microsoft 365 line of business software. This week it unveiled plans to use AI to help cybersecurity experts monitor and categorize threats and attacks.

A Microsoft spokesperson said the misconfiguration issue affected a small number of the company’s applications that used its login management service, called Azure Active Directory.

“We appreciate the collaboration with Wiz, which helped us reduce a potential risk and further harden our services and thank them for working with us to protect the ecosystem,” the company said in a statement. .

Microsoft and Wiz are scheduled to announce more details on the issue and how customers can mitigate it on Wednesday.

Photo illustration: Preston Jessee for The Wall Street Journal

Wiz said there is no evidence that anyone took advantage of the issue. It’s not clear how long it’s been available for hackers to use, though the issue may have been exploitable for years, the cybersecurity company said.

Hillai Ben-Sasson, a researcher at Wiz, said the misconfiguration allowed him to access a site used by Microsoft employees to post trivia quizzes on Bing. Because it’s misconfigured, anyone with a free Microsoft account can use it to change what results appear on Bing for search queries.

It should have only been visible to Microsoft employees, Wiz’s mr. Luttwak said. “We should never have seen it,” he said.

The Wiz team discovered that they could change some Bing search results by changing data on the Bing trivia page. They were able to make specific results appear for any search query by tinkering with the trivia page. They made the 1995 film “Hackers” appear for anyone who searched for the term “best soundtracks”.

Then they discovered something more serious: a way to access Bing users’ Microsoft 365 emails, documents, calendars and other data.

This kind of access will be extremely valuable to hackers who can use it to steal sensitive information, send fraudulent emails and gain access to computer systems.

“A potential attacker could have affected Bing search results and compromised Microsoft 365 emails and data of millions of people,” Mr. Luttwak said. “It could have been a nation state trying to influence public opinion or a financially motivated hacker.”

In addition to the trivia site, Wiz researchers found about 1,000 other sites on Microsoft’s cloud that appeared to have similar problems. Most of the pages appeared to belong to Azure customers, but at least 10 of them were Microsoft’s.

Microsoft has emerged as one of the world’s largest cyber security companies. It has also recently been plagued by security concerns as it tries to lock down both its legacy products, which run on personal computers and in corporate data centers, while integrating them with its fast-growing cloud computing platform.

Write to Robert McMillan at [email protected]