WSJ News Exclusive | Microsoft Patched Bing Vulnerability That Allowed Snooping on Email and Other Data
Microsoft Corp.
MSFT 1.59%
patched a dangerous security issue in Bing last month just days before it launched a new artificial intelligence-powered version of the search engine.
The problem was discovered by outside researchers at the security firm Wiz Inc. It was created by a mistake in the way that Microsoft configured applications on Azure, its cloud-computing platform, and could be used to gain access to emails and other documents of people who used Bing, the researchers said.
Microsoft fixed the problem on Feb. 2, according to
Ami Luttwak,
Wiz’s chief technology officer. Five days later
Satya Nadella
introduced the new generative AI capabilities to Bing, bringing a renewed interest in Microsoft’s 14-year-old search engine. Usage of Bing has jumped, rising to more than 100 million daily active users in the month since the upgrade.
Microsoft has been adding generative AI capabilities to much of its software and services. The new Bing can help users track down information using a chatbot backed by the technology behind ChatGPT.
Microsoft is adding the technology to its popular Microsoft 365 suite of business software. This week it unveiled plans to use AI to help cybersecurity experts monitor and categorize threats and attacks.
A Microsoft spokesman said the misconfiguration issue affected a small number of the company’s applications that used its login management service, called Azure Active Directory.
“We appreciate the collaboration with Wiz, which helped us mitigate a potential risk and further harden our services and thank them for working with us to protect the ecosystem,” the company said in a statement.
Microsoft and Wiz are scheduled to announce more details about the issue and how customers can mitigate it on Wednesday.
Wiz said there is no evidence anyone has taken advantage of the issue. It isn’t clear how long it was available for hackers to use although the issue may have been exploitable for years, the cybersecurity company said.
Hillai Ben-Sasson, a researcher at Wiz said the misconfiguration allowed him to access a website used by Microsoft employees to set up trivia quizzes on Bing. Because it was misconfigured, anyone with a free Microsoft account could use it to change what results popped up on Bing for search queries.
It should only have been viewable to Microsoft employees, Wiz’s Mr. Luttwak said. “We should have never seen it,” he said.
The Wiz team discovered they could change some Bing search results by changing data on the Bing trivia page. They were able to make specific results show up for any search query by tinkering with the trivia page. They made the 1995 film “Hackers” pop up for anyone who searched for the term “best soundtracks.”
Then they discovered something more serious: a way to get access to Bing users’ Microsoft 365 emails, documents, calendars and other data.
This kind of access would be extremely valuable to hackers who could use it to steal sensitive information, send fraudulent emails and gain access to computer systems.
In addition to the trivia site, Wiz researchers found about 1,000 other websites on Microsoft’s cloud that appeared to have similar problems. Most of the pages looked like they belonged to Azure customers but at least 10 of them were Microsoft’s, Mr. Luttwak said.
“If it could happen to Microsoft it could happen to anyone using Azure,” he said.
Microsoft has emerged as one of the world’s largest cybersecurity companies. It has also been plagued by security issues recently as it tries to lock down both its legacy products, which run on personal computers and in corporate data centers while integrating them with its fast-growing cloud computing platform.
Write to Robert McMillan at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.