A flaw in the Azure configuration allowed any user to log into the content management system through which Microsoft operates Bing. They can then modify the search results and even insert a payload to hack user accounts.

Researchers call it infusion ping bang. It is a misconfiguration of Azure Active Directory. Selecting the wrong option in the backend to allow access to users in their own directory will give access to anyone with an Azure account. This turned out to be the case, for example, with the Bing Trivia app, which Microsoft uses to manage trivia search results.

It turns out that it is possible to manipulate search results in the carousel at the top of the screen. Researchers can also put a payload in it to intercept tokens from logged in users. Any user who clicks on it can give attackers access to all Microsoft applications, such as Outlook mail and Sharepoint.

The researchers notified Microsoft on January 31. The leak closed on February 2. The researchers then waited for all Azure platforms where any user can log in to close the leak before they did Information about BingBang Get out.