Back to directory
WRITEUP #1353

BingBang: The AAD misconfiguration that led to Bing.com results manipulation and account takeover explained

Auth BypassAccount takeoverAzure ADCloudXSSPrivilege escalation
by@hillai(Hillai Ben-Sasson)
Program
Microsoft (Bing)
Published
Mar 29, 2023
Added to HackDex
Mar 31, 2023
Read Full Writeuphttps://www.wiz.io/blog/azure-active-directory-bing-misconfiguration
RELATED WRITEUPS
Interesting Story of an Account Takeover Vulnerability
Auth BypassAccount takeover
Self-XSS to ATO via Site Features
XSSSelf-XSS
Instagram and Meta 2FA Bypass by Unprotected Backup Code Retrieval in Accounts Center
Auth Bypass2FA / MFA bypass
Forced SSO Session Fixation
Auth BypassSSO
Addressed AWS defaults risks: OIDC, Terraform and Anonymous to AdministratorAccess
CloudOIDC

Built with ❤️ by Shubham Rawat