Bing hack let user change search results for 100 million users

Security vulnerability also gave researcher access to ‘millions’ of Outlook emails, calendars and MS Teams messages

Anthony Cuthbertson
Thursday 30 March 2023 13:40 BST
Comments
<p>Europe Mobile Show Things To Watch</p>

Europe Mobile Show Things To Watch

A security researcher has claimed that he was able to hack into Microsoft’s Bing search engine in order to change the top results to whatever he chose.

Hillai Ben-Sasson, who works as a researcher at cloud security firm Wiz, was also able to take over millions of Microsoft Office 365 accounts, which he claimed gave him access to users’ Outlook emails, calendars and MS Teams messages.

“I hacked into a Bing CMS that allowed me to alter search results and take over millions of Office 365 accounts,” Mr Ben-Sasson wrote.

His Wiz research team spotted the vulnerability within Microsoft’s cloud computing service Azure, where a configuration meant that “a single checkbox is all that separates an app from becoming ‘multi-tenant’”, meaning all users could log in to the back end.

“My user was immediately granted access to this ‘Bing Trivia’ page,” he explained.

“Don’t let the name fool you – it controls much more than just trivia. In fact, as I came to find out, it can control actual search results.”

The vulnerability allowed Mr Ben-Sasson to switch the top result on Bing when searching ‘best soundtracks’, swapping it from the 2021 movie Dune to the 1995 cult classic Hackers.

It is not clear if the security flaw was exploited by any malicious hackers before it was discovered, though it appears to have since been patched by Microsoft.

Mr Ben-Sasson said he and his team were awarded $40,000 by Microsoft as part of its bug bounty program.

The Independent has reached out to Microsoft for more information.

Bing has seen a surge in popularity in recent months following the integration of OpenAI’s popular AI chatbot ChatGPT.

The company reported earlier this month that Bing had passed 100 million daily active users, while also seeing significantly improved engagement.

“This is a surprisingly notable figure, and yet we are fully aware we remain a small, low, single digit share player,” Yusuf Mehdi, Microsoft’s consumer chief marketing officer, said at the time. “That said, it feels good to be at the dance.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in