Bing hack let user change search results for 100 million users
Security vulnerability also gave researcher access to ‘millions’ of Outlook emails, calendars and MS Teams messages
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.A security researcher has claimed that he was able to hack into Microsoft’s Bing search engine in order to change the top results to whatever he chose.
Hillai Ben-Sasson, who works as a researcher at cloud security firm Wiz, was also able to take over millions of Microsoft Office 365 accounts, which he claimed gave him access to users’ Outlook emails, calendars and MS Teams messages.
“I hacked into a Bing CMS that allowed me to alter search results and take over millions of Office 365 accounts,” Mr Ben-Sasson wrote.
His Wiz research team spotted the vulnerability within Microsoft’s cloud computing service Azure, where a configuration meant that “a single checkbox is all that separates an app from becoming ‘multi-tenant’”, meaning all users could log in to the back end.
“My user was immediately granted access to this ‘Bing Trivia’ page,” he explained.
“Don’t let the name fool you – it controls much more than just trivia. In fact, as I came to find out, it can control actual search results.”
The vulnerability allowed Mr Ben-Sasson to switch the top result on Bing when searching ‘best soundtracks’, swapping it from the 2021 movie Dune to the 1995 cult classic Hackers.
It is not clear if the security flaw was exploited by any malicious hackers before it was discovered, though it appears to have since been patched by Microsoft.
Mr Ben-Sasson said he and his team were awarded $40,000 by Microsoft as part of its bug bounty program.
The Independent has reached out to Microsoft for more information.
Bing has seen a surge in popularity in recent months following the integration of OpenAI’s popular AI chatbot ChatGPT.
The company reported earlier this month that Bing had passed 100 million daily active users, while also seeing significantly improved engagement.
“This is a surprisingly notable figure, and yet we are fully aware we remain a small, low, single digit share player,” Yusuf Mehdi, Microsoft’s consumer chief marketing officer, said at the time. “That said, it feels good to be at the dance.”
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments