LAS VEGAS -- A new attack vector in Azure Active Directory has exposed approximately 25% of multi-tenant applications to unauthorized access, according to research from cloud security vendor Wiz.
At a Black Hat USA 2023 session Wednesday, Wiz senior security researcher Hillai Ben-Sasson outlined the risk to enterprise applications integrated with Azure Active Directory, or Azure AD. Wiz discovered a simple misconfiguration in tenancy settings for Azure App Services and Azure Functions can create an authentication bypass for multi-tenant applications.
First disclosed in a March blog post, Ben-Sasson explained that Azure AD allows customers to select an application registration type that associates the app with their chosen identity and access management provider. The Azure AD settings also give customers the ability to select account access type: single-tenant, multi-tenant, personal accounts, or a combination of multi-tenant and personal accounts.
However, Wiz discovered those configurations created apparent confusion among users, which led to a raft of accidentally exposed Azure apps. Because multi-tenant apps let any Azure tenant issue OAuth tokens for them, it's incumbent on app developers to inspect those tokens, validate the users, and decide which apps they should be allowed to access.
Ben-Sasson said the Azure AD settings don't make that distinction clear. As a result, a misconfigured multi-tenant app could be accessed by any Azure user, not just the organization's approved users. An attacker therefore could obtain Azure AD credentials for a single organization but access many other organizations' multi-tenant applications if they fell victim to this misconfiguration.
Wiz researchers conducted internet scans for applications on Azure App Services and Azure Functions and discovered that about a quarter of the multi-tenant apps were exposed to the authentication bypass -- approximately 1,300 apps from more than 500 organizations. During the scanning process, Wiz decided to narrow its search and focus on exposed Azure AD applications on Microsoft's own tenant; one of the multi-tenant applications it discovered was a CMS for Bing.com.
The BingBang attack and other threats
Wiz said its scans revealed "several high-impact, vulnerable Microsoft applications," including a domain for an app named Bing Trivia. Ben-Sasson said he created a new user called "Wiz Researcher" in his company's own tenant and found he could use it to log into Bing Trivia's CMS.
After gaining access to the CMS, Ben-Sasson began studying the domain's admin panel and discovered it gave him far more capabilities beyond simply tinkering with trivia questions and answers. For example, he found he could modify search results for Bing, which an attacker could potentially abuse to direct users to malicious links.
Even worse, Ben-Sasson tested XSS viability for the app and discovered he could inject malicious code into Bing. At point in late January, Wiz reported the findings to Microsoft, which promptly fixed the access to Bing Trivia's CMS. But Ben-Sasson conducted additional research into potential XSS attacks on Microsoft's multi-tenant apps and found that in the case of Bing Trivia, the attack surface was even more broad than he had first realized.
For example, Ben-Sasson discovered that because of its integrations with Microsoft 365 services, Bing can issue Office tokens to any authenticated user. He then developed a new XSS payload that could abuse those tokens and collect users' Office 365 data, including Outlook and Teams messages, SharePoint documents and OneDrive files. Ben-Sasson tested the attack technique, which Wiz dubbed "BingBang," on himself and found it stole his Outlook emails.
Given Bing's presence, Wiz said attackers could deliver false search results and malicious links to millions of the search engine's users while also stealing their Office 365 data.
"The amount of bad things threat actors could have done with this access is crazy," Ben-Sasson said in a pre-briefing with TechTarget Editorial prior the session.
Ami Luttwak, Wiz CTO and co-founder, compared the BingBang attack to the recent Storm-0558 email attacks on Microsoft customers. In those incidents, a China-based threat actor compromised the email accounts of approximately 25 organizations -- including several federal government agencies -- by exploiting a token validation issue and using a stolen Microsoft account (MSA) signing key.
While Microsoft is still investigating the Storm-0558 attacks (the company fixed the validation error but has not determined how the MSA key was acquired), Luttwak said BingBang could be used to achieve similar results. "It shows you that there are more integration flows for getting access to email accounts," he told TechTarget Editorial. "There is a lot of interconnectivity between these services that can eventually give you access to sensitive emails."
After reporting the initial findings to Microsoft on Jan. 31, Wiz worked with the software giant to address other vulnerable Microsoft applications, some of which had access to sensitive data and functions. During the session, Ben-Sasson said he found an internal app on the Microsoft tenant named Centralized Notification Service, which is a notification system for developers. He also found an internal storage management system named Cosmos that held more than four exabytes of Microsoft files.
Microsoft patched those applications and awarded Wiz a $40,000 bug bounty award shortly before the misconfiguration issue was publicly disclosed on March 29. In addition, Ben-Sasson said Microsoft updated the settings and documentation to prevent customers from misconfiguring their multi-tenant apps and introducing the authentication bypass. Microsoft also introduced a new configuration setting that gives customers the ability to select the tenant ID that is authorized to access each Azure AD app.
"That was basically the best outcome of this -- providing the tools to help people configure their applications safely," he said.
There was just one problem. Virtually all the non-Microsoft tenant applications Wiz discovered in its scans are still misconfigured. "Twenty-five percent is a pretty big number," Ben-Sasson said during the pre-briefing. "We were hoping that a couple months later the numbers would be somewhat better. But it seems like most of these apps are still configured the same way."
Luttwak estimated that more than 90% of the multi-tenant apps Wiz found are currently exposed. Part of the problem is the complexity for Azure AD, he said, which is the foundation for enterprise identity management. "The number of security teams that understand Azure AD is probably zero," he said, noting that even Microsoft itself had exposed internal apps via this misconfiguration.
Ben-Sasson added that cloud services overall are prone to accidental misconfigurations and data exposures, not just Azure. "The reason people use the cloud is because it's super easy to use," he said. "In the old days with on premise environments, it would take a lot of active work to expose things. In the cloud, it's literally clicking the wrong check box."
Rob Wright is a longtime technology reporter who lives in the Boston area.