Microsoft has patched a misconfiguration issue impacting the Azure Active Directory (AAD) identity and access management service that exposed several "high-impact" applications to unauthorized access.
"One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users," cloud security firm Wiz said in a report. "Those attacks could compromise users' personal data, including Outlook emails and SharePoint documents."
The issues were reported to Microsoft in January and February 2022, following which the tech giant applied fixes and awarded Wiz a $40,000 bug bounty. Redmond said it found no evidence that the misconfigurations were exploited in the wild.
The crux of the vulnerability stems from what's called "Shared Responsibility confusion," wherein an Azure app can be incorrectly configured to allow users from any Microsoft tenant, leading to a potential case of unintended access.