Microsoft, which has invested millions of dollars in OpenAI, announced that it has brought artificial intelligence support to many applications and software, especially Bing. In addition to these software, a critical vulnerability was detected in Bing, which is constantly developing and increasing its question capacity.
Trying to push Bing’s limits, white hat hackers discovered a vital vulnerability where Bing could alter search results or even access the information of all Microsoft accounts. Moreover, you can even accidentally discover this vulnerability while tampering with Microsofft Azure.
You can effortlessly read e-mails of all users around the world.
Hillai Ben-Sasson, one of the white hat hackers of Wiz, one of the prominent cybersecurity firms of recent years, and her team, while researching on Microsoft’s Azure systems, discover a setting where they can control a system called “Bing Trivia”. Activating Bing Trivia, the team states that the system can be used to modify Bing’s search results. Ben-Sasson and his team, using this software originally created to instantly fix bugs in Bing, also encountered a much more serious vulnerability.
Examining the data Bing sent, the team noticed that strangely, the new Bing uses Office 365’s communication systems. Researchers, who examined this system closely, realized that they could access the user’s Outlook e-mails, calendar, Teams messages, OneDrive files and even Word files, thanks to a tiny bit of data to be taken from the computer of the person they want using this network.
Fortunately, Microsoft immediately closed the gap.
Documenting the information they obtained and their suggestions for closing the vulnerability, Ben-Sasson and his team sent an e-mail to Microsoft, stating that they explained the situation and received feedback that the vulnerability was fixed within a few hours. In addition, Ben-Sasson confirmed that the vulnerability was closed.
Microsoft officials gave the team a $40,000 reward, while Ben-Sasson announced that this award would be donated to charities. This critical vulnerability, which could endanger the personal data of many users, was thus closed without being discovered by malicious people.
62294
