Four years: That's how long Azure's App Service had a source code leak bug

Firm that found the flaw also spotted ChaosDB and OMIGOD, confident this one’s been exploited


Microsoft has revealed a vulnerability in its Azure App Service for Linux allowed the download of files that users almost certainly did not intend to be made public.

Microsoft bills the Azure App Service as just the thing if you want to “Quickly and easily create enterprise-ready web and mobile apps for any platform or device, and deploy them on a scalable and reliable cloud infrastructure.”

Note that description does not mention security.

The omission was oddly prescient, because cloud security outfit Wiz probed the service and found what it described as “insecure default behaviour in the Azure App Service that exposed the source code of customer applications written in PHP, Python, Ruby, or Node, that were deployed using ‘Local Git’.”

Wiz has named the flaw “NotLegit” and asserts it’s been around since September 2017 and “has probably been exploited in the wild.”

The core of the flaw is that when Azure App Service users uploaded their git repositories to the service, the repos landed in the publicly accessible directory /home/site/wwwroot directory. Among those uploads was the .git folder, which contains source code and other confidential info. All of which was dangling on the web for all to see.

People were looking. Wiz’s post states that it created a vulnerable Azure App Service application and within four days detected multiple attempts to reach its .git folder.

Microsoft has ’fessed up to the flaw and offered its view that it impacted a “limited subset of customers” that it will help to set things to rights.

Wiz has form spotting bad Azure bugs: it also found the ChaosDB flaw that allowed unauthorised read and write access to Microsoft’s Azure Cosmos DB, and the “OMIGOD” family of flaws that allowed unauthorized code execution on Azure servers.

Microsoft paid a $7,500 bounty to Wiz for finding the flaw, which was responsibly disclosed in September, and saw Microsoft advise customers of the issue before disclosing it in a blog post dated December 22nd. ®

Broader topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022