
Microsoft app misconfiguration allows Bing search result hijacking and data snooping.
A misconfigured Microsoft app allowed anyone to modify Bing search results and inject XSS attacks, potentially breaching Office 365 user accounts. The issue was discovered by Wiz Research and reported to Microsoft, who confirmed it was fixed on March 28, 2023. The misconfiguration problem affects approximately 25% of multi-tenant apps, including some belonging to Microsoft. Microsoft has introduced security enhancements to prevent Azure AD misconfiguration issues from becoming a problem again and recommends developers and admins consult updated guidance on securing multi-tenant applications.