Cloud Security

Misconfiguration issue in Azure Active Directory gets patched

Microsoft has released a patch to address a misconfiguration issue in Azure Active Directory that could allow unauthorized access to crucial applications, The Hacker News reports. The root of the vulnerability lies in a so-called Shared Responsibility confusion in which an Azure app can be configured improperly such that users can access it from any Microsoft tenant without authorization. Researchers at cloud security firm Wiz said that several Microsoft apps including the Bing Trivia app also exhibit this behavior, which in Bings case poses the critical risk of being used to launch a cross-site scripting attack to steal Outlook emails, OneDrive files,Teams messages, and SharePoint documents. A malicious actor with the same access could've hijacked the most popular search results with the same payload and leak sensitive data from millions of users, according to Wiz researcher Hillai Ben-Sasson. Microsoft awarded Wiz a $40,000 bug bounty after being informed of the vulnerability.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.