Tech
Cybersecurity

Bing vulnerability made it possible to alter search results

The exploit has been fixed, but it's still unsettling.
By Cecily Mauran  on 
Padlock on a circuit board
That was a close one. Credit: Getty Images

A major security exploit that let researchers change Bing search results was revealed this week.

The vulnerability was discovered in January by cybersecurity research company Wiz(opens in a new tab) and reported to the Microsoft Security Response Center (MSRC).

In a Twitter thread, Wiz researcher Hillai Ben-Sasson explained how he was able to hack into Bing's content management system (CMS). By logging into Microsoft's cloud computing platform Azure, he discovered that he could grant all users access to internal Microsoft apps. He then accessed a database of Bing's search results. From there, Ben-Sasson figured out that he could actually modify what showed up in the results.

Wiz researchers also discovered that Bing was vulnerable to a Cross-Site Scripting (XSS) attack and discovered they had access to sensitive Office 365 data including Outlook emails, Calendar information, and Teams messages. MSRC detailed security updates and shared recommendations for Azure AD admins and developers in its blog post(opens in a new tab).

The purpose of the researchers' experiment was to show that it was possible and share its findings with Microsoft. But it shows how malicious hackers could have wreaked havoc for Bing.

"A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leak sensitive data from millions of users," said the Wiz blog post. Luckily it was caught before any major damage was done.

Microsoft confirmed(opens in a new tab) that it has been fixed as of March 29. Wiz received a $40,000 "bug bounty" for reporting the vulnerability, which it it plans to donate to an unspecified recipient.

Mashable Image
Cecily Mauran

Cecily is a tech reporter at Mashable who covers AI, Apple, and emerging tech trends. Before getting her master's degree at Columbia Journalism School, she spent several years working with startups and social impact businesses for Unreasonable Group and B Lab. Before that, she co-founded a startup consulting business for emerging entrepreneurial hubs in South America, Europe, and Asia. You can find her on Twitter at @cecily_mauran(opens in a new tab).


Recommended For You

How to watch Premier League soccer in the U.S.

'Judy Blume Forever' review: A literary icon gets a triumphant, timely tribute


How to watch 'Barry' Season 4: The bloody saga is coming to a conclusion

Trending on Mashable

'Wordle' today: Here's the answer, hints for April 21

Dril and other Twitter power users begin campaign to 'Block the Blue' paid checkmarks

How to remove Snapchat's My AI from your Chat feed

The biggest stories of the day delivered to your inbox.
By signing up to the Mashable newsletter you agree to receive electronic communications from Mashable that may sometimes include advertisements or sponsored content.
Thanks for signing up. See you at your inbox!