Earlier this week, a cloud security researcher from Wiz Research found a huge vulnerability in the Bing content management system. Termed BingBang, this bug exposed access to misconfigured systems, allowing third parties to access them without authorisation. While the bug was found by a white hat hacker and promptly fixed by Microsoft, the vulnerability itself shows a fatal flaw in modern web services – centralisation. 

Services offered by software companies, such as Microsoft or Google, are hosted on their own cloud computing infrastructure. While these tech companies have since made it into a product, it seems that there are still ways for parties to move beyond the security created by cloud service providers. 

The BingBang Exposé

Earlier this week, Hillai Ben-Sasson, the aforementioned security researcher, published a tweet thread and accompanying blog that provided details on this vulnerability. Calling it ‘BingBang’, Hillai explained how finding this vulnerability began with a toggle in their Azure app settings. This toggle allowed users to switch an app’s permissions from being ‘single tenant’ to being ‘multi-tenant’. If a certain app was set to being ‘multi-tenant’, it meant that anyone could log in to the app. 

Multi-tenancy is one of the secret sauces that make modern cloud service providers (CSPs) work. Using this approach, multiple ‘tenants’ or users can access the same resources while not being aware of each other. This allows CSPs to effectively use resources for multiple users, increasing the scalability of the server farm while allowing resources to stretch for longer. 

By finding a Microsoft application configured with multi-tenancy, the researcher was able to gain access to the backend of Bing’s CMS. Called ‘Bing Trivia’, this application provided backend access to a facet of Bing Search which covered features such as various quizzes, the ‘On This Day’ feature, spotlights and common answers for entertainment queries. By accessing this application and abusing his privileges, Hillai was able to manipulate Bing’s search results. 

While this is a relatively mild abuse of the bug, the researcher also found that it was possible to create a cross-site scripting (XSS) package and serve it to other applications on the network. Using this exploit, Hillai found that it was possible for attackers to get an authentication token, which could then be used to access Outlook emails, Calendars, Teams messages, and OneDrive files from any Bing user. 

Reportedly, the researcher discovered this vulnerability in mid-January and proceeded to inform Microsoft about it. To Microsoft’s credit, it quickly responded to the report and fixed the vulnerable applications, awarding the researcher a $40,000 bug bounty under the Microsoft 365 Bounty Program. It also added further authorisation checks to address the issue and made ‘additional changes to reduce the risk of future misconfigurations’. 

According to Wiz’s blog, about 25% of multi-tenant applications were found to be vulnerable to this bug. This was just one application they accessed, with the blog stating that there were “several high-impact, vulnerable Microsoft applications”. While Microsoft cannot be blamed directly for this vulnerability, it is important to note the risks that come with hosting sensitive applications on a publicly accessible cloud. 

Are Centralised Clouds Fundamentally Vulnerable?

This isn’t the first time that a vulnerability has been discovered in Azure. In the past 3 months alone, Microsoft’s security response centre (MSRC) has discovered six exploits in Azure. While some of these are low-risk, one of them allows attackers to elevate privileges in Microsoft Outlook, leading to possible credential theft. To this end, Microsoft has also handed out $13.7 million in bounties in 2022, with the biggest reward being $200,000 for a bug found in Hyper-V. 

At a glance, CSPs can be subjected to denial of service attacks, cloud malware injection attacks, cross-cloud attacks, and insider attacks. This means that cloud service providers need to take multiple security measures to mitigate these possible attacks, However, sometimes vulnerabilities slip through the cracks due to the sheer amount of angles the problem can be approached from.

Azure is not the only one to suffer from such shortcomings. As part of the GCP vulnerability reward program, Google pays over $313,000 to a handful of security researchers every year. Apart from this, the vulnerability rewards program also pays bug bounties for security vulnerabilities discovered in GCP, with the company dishing out $8.7 million in rewards in 2021 alone. 

AWS, on the other hand, has not disclosed how much they pay out in bounties, instead tying up with platforms like HackerOne and Bugbounter to discover and fix bugs in its platforms. However, it is clear that it is a priority for them, mainly due to the large amount of attack surfaces the centralised cloud service providers have.

Instituting bug bounty programs is a good place to start, as this will not only monetarily incentivise researchers to find bugs, but also instil a sense of curiosity around the workings of CSP’s offerings. Google’s Eduardo Vela, the head of GCP’s security response team, said in an interview, “We don’t care about vulnerabilities; we care about exploits. The whole idea is what to do beyond just patching a couple of vulnerabilities. This is why we pay $100,000. It is so much more work, and we learn a lot from these exploits.”

In 2022, both Google and Microsoft increased their bug bounty payouts to reflect the larger attack surface brought about by their upgrades and new products. As CSPs continue to innovate and accelerate, it seems that security researchers have now become their secret weapon, finding and reporting bugs in platforms with possibly thousands of security flaws.