microsoft corp MSFT 1.52% patched a dangerous security vulnerability in Bing last month ahead of the launch of a new artificial intelligence-based version of the search engine.
The problem was discovered by external researchers from the security company Wiz Inc. It was caused by a flaw in the way Microsoft could configure and use applications on Azure, its cloud computing platform, to gain access to emails and other documents from people using Bing, the researchers said .
According to Ami Luttwak, Wiz’s chief technology officer, Microsoft fixed the problem on February 2nd. Five days later, Satya Nadella unveiled Bing’s new Generative AI capabilities, sparking renewed interest in Microsoft’s 14-year-old search engine. Bing usage has skyrocketed, growing to more than 100 million monthly daily active users since the upgrade, Microsoft said in a recent blog.
Microsoft has added generative AI capabilities to much of its software and services. The new Bing can help users track down information using a chatbot powered by the technology behind ChatGPT.
Microsoft is adding the technology to its popular Microsoft 365 suite of business software. Plans were unveiled this week to use AI to help cybersecurity professionals monitor and categorize threats and attacks.
A Microsoft spokesman said the misconfiguration issue affected a small number of the company’s applications that used its login management service called Azure Active Directory.
“We appreciate working with Wiz, who helped us mitigate a potential risk and continue to improve our services, and thank them for working with us to protect the ecosystem,” the company said in a statement.
Microsoft and Wiz are expected to provide more details on the issue and how customers can mitigate it on Wednesday.
Photo illustration: Preston Jessee for The Wall Street Journal
Wiz said there was no evidence anyone took advantage of the issue. It’s not clear how long it’s been available to hackers, although the problem could have been exploited for years, the cybersecurity firm said.
Hillai Ben-Sasson, a researcher at Wiz, said the misconfiguration allowed him to access a website used by Microsoft employees to set up trivia quizzes on Bing. Because it was misconfigured, anyone with a free Microsoft account could use it to change what results were shown on Bing for searches.
It should have been visible only to Microsoft employees, said Wiz’s Mr. Luttwak. “We should never have seen it,” he said.
The Wiz team discovered that they could change some Bing search results by changing data on the Bing trivia page. They could display specific results for each search query by tinkering with the trivia page. They made the 1995 film Hackers pop up for anyone searching for the phrase best soundtracks.
Then they discovered something more serious: a way to gain access to Bing users’ Microsoft 365 email, documents, calendars, and other data.
This type of access would be extremely valuable to hackers, who could use it to steal confidential information, send fraudulent emails, and gain access to computer systems.
“A potential attacker could have impacted Bing search results and compromised Microsoft 365 email and data for millions of people,” Luttwak said. “It could have been a nation state trying to sway public opinion or a financially motivated hacker.”
In addition to the trivia site, Wiz researchers found about 1,000 other sites in the Microsoft cloud that appeared to be having similar issues. Most of the pages looked like they belonged to Azure customers, but at least 10 of them belonged to Microsoft.
Microsoft has grown into one of the world’s largest cybersecurity companies. It has also been plagued by security issues lately as it attempts to lock down its legacy products running on PCs and in enterprise data centers while also integrating them with its rapidly expanding cloud computing platform.
Write to Robert McMillan at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8
