Microsoft admits Azure App Service source code leak bug • The Register


Microsoft has revealed a vulnerability in its Azure App Service for Linux that allowed file downloads that users almost certainly did not intend to release to the public.

Microsoft considers Azure App Service the ideal solution if you want to “quickly and easily build business-ready web and mobile applications for any platform or device, and deploy them on a scalable and reliable cloud infrastructure.”

Note that the description does not mention security.

The omission was oddly prescient, as the Wiz cloud security team probed the service and found what they described as “insecure default behavior in Azure App Service that exposed the source code of client applications written in PHP, Python, Ruby or Node, which were deployed using “Local Git”.

Wiz has named the flaw “NotLegit” and claims that it has been around since September 2017 and “has likely been exploited in the wild.”

The heart of the flaw is that when Azure App Service users uploaded their git repositories to the service, the repositories landed in the publicly accessible directory. /home/site/wwwroot phone book. Among those downloads was the .git folder, which contains source code and other confidential information. It was all hanging around the web for anyone to see.

People were watching. Wiz’s message states that he created a vulnerable Azure App Service application and within four days he detected multiple attempts to access his .git folder.

Microsoft admitted to the flaw and said it had impacted a “limited subset of customers” and would help put things back together.

Wiz detected bad Azure bugs: he also found the ChaosDB flaw that allowed unauthorized read and write access to Microsoft’s Azure Cosmos DB, and the “OMIGOD” family of flaws that allowed unauthorized code execution on Azure servers.

Microsoft paid Wiz a $ 7,500 bounty for finding the loophole, which was responsibly disclosed in September, and saw Microsoft notify customers of the issue before disclosing it in a blog post dated December 22. ®

About Raymond A. Bentley

Check Also

Finally, Apple’s iPad has a default weather app – TechCrunch

Hell has frozen over, apparently. Today, Apple addressed a long-standing user complaint about the iPad …