Security News > 2020 > March > Azure Red Flag: Microsoft Accidentally Fixes Cloud Config ‘Bug’
UPDATE. Researchers are shedding light on a Microsoft Azure misconfiguration bug that leaked sensitive access tokens, which could have given hackers access to virtual machine instances and cloud-based storage buckets.
According to CyberArk, it found the bug in September and Microsoft "Unintentionally" fixed it within two weeks as part of a regular update to its Azure platform.
Researchers said the Microsoft Azure Portal bug is tied to URL parsing within a JavaScript file used within Azure's Extension Manifest.
The Microsoft Azure Portal is a web-based and unified console for building, managing and monitoring cloud infrastructure.
"In this vulnerability in Microsoft Azure, attackers could take over Azure Accounts by exploiting a misconfiguration bug in Azure Portal's manifest," wrote Omer Tsarfati, a cyber security researcher at CyberArk. "Microsoft ended up fixing this bug, unintentionally, before we could officially report it to them."
News URL
Related news
- Google's got a hot cloud infosec startup, a new unified platform — and its eye on Microsoft's $20B+ security biz (source)
- Microsoft Secures MSA Signing with Azure Confidential VMs Following Storm-0558 Breach (source)
- Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server (source)