Microsoft has released a patch to address a misconfiguration issue in Azure Active Directory that could allow unauthorized access to crucial applications, The Hacker News reports.
The root of the vulnerability lies in a so-called Shared Responsibility confusion in which an Azure app can be configured improperly such that users can access it from any Microsoft tenant without authorization.
Researchers at cloud security firm Wiz said that several Microsoft apps including the Bing Trivia app also exhibit this behavior, which in Bings case poses the critical risk of being used to launch a cross-site scripting attack to steal Outlook emails, OneDrive files,Teams messages, and SharePoint documents.
A malicious actor with the same access could've hijacked the most popular search results with the same payload and leak sensitive data from millions of users, according to Wiz researcher Hillai Ben-Sasson.
Microsoft awarded Wiz a $40,000 bug bounty after being informed of the vulnerability.
U.S. critical infrastructure organizations have been noted by the Department of Homeland Security to be at risk of cyberattacks leveraging artificial intelligence, with China and other nation-states exploiting the technology to deploy more advanced malware attacks and influence operations, CyberScoop reports.
Major U.S. consumer product leasing firm Progressive Leasing has disclosed that some of its systems have been impacted by a cyberattack that resulted in the significant compromise of personally identifiable information belonging to its customers and other individuals, according to The Record, a news site by cybersecurity firm Recorded Future.