We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
BingBang: Hacking Bing.com (and much more) with Azure Active Directory
Discover the shocking vulnerabilities in Azure Active Directory, from the "BingBang" talk, where 1,300 apps were exposed, and every user and tenant had access to sensitive information.
- Over 500 organizations were vulnerable to the Polycheck API vulnerability.
- The identity provider will provide information about the app, including the app ID and access token.
- Every single user and every single tenant has access to read notifications and create new notifications.
- 1,300 out of 5,000 multi-tenant apps were vulnerable.
- Microsoft is prone to mistakes, with thousands of apps vulnerable to the Azure Active Directory (AAD) configuration issue.
- Every single tenant and every single user had access to create new notifications and post on the page.
- The author of the talk admits that even they couldn’t answer their own questions about some apps.
- The consequences of the vulnerability can be severe, with access to sensitive information such as emails, calendars, and files.
- The author believes that mistakes are inevitable in the cybersecurity landscape.
- The talk also mentions some guidance for Azure customers to fix the issue, including checking the documentation and reviewing authorization logic.
- The author suggests that built-in checks alone are not sufficient for comprehensive security.
- Microsoft has updated their guidance and Azure App Service to help prevent future instances of the vulnerability.
- The author recommends checking out the Wiz website and MSRC blog for further guidance.