BingBang: Hacking Bing.com (and much more) with Azure Active Directory

In cloud-managed environments, exposing one of your most sensitive assets to external attackers can be as simple as clicking a checkbox. This was the case for Bing.com with their Azure Active Directory (AAD) integration, where a single misconfiguration enabled us to bypass authentication, alter search results, and launch XSS attacks on its users stealing their Office 365 tokens. However, Bing was not an isolated case. By inventing a new scanning technique to remotely map AAD misconfigurations, we identified thousands of exposed applications across the internet.

In this talk, we will present our novel technique for hunting misconfigurations on Azure AD, one of the most common Identity Providers on the internet. We will detail several pitfalls that we found in AAD integrations, from misconfigurations to design flaws, each of them resulting in complete authentication bypass on affected applications – essentially rendering the identity provider useless.

We will then detail our approach for mapping exposed cloud resources, scanning the web to find vulnerable applications, and narrowing down the results to high-profile targets. As a case study, we will demonstrate how we utilized this technique to bypass authentication on several highly sensitive Microsoft enterprise applications, including an internal CMS that allowed us to take over Bing.com.

Join us to learn how to identify and map exposed Azure AD applications, as well as how to protect them in your environment.