Security News > 2021 > December > 4-Year-Old Bug in Azure App Service Exposed Hundreds of Source Code Repositories

A security flaw has been unearthed in Microsoft's Azure App Service that resulted in the exposure of source code of customer applications written in Java, Node, PHP, Python, and Ruby for at least four years since September 2017.

Microsoft said a "Limited subset of customers," adding "Customers who deployed code to App Service Linux via Local Git after files were already created in the application were the only impacted customers."

The Azure App Service is a cloud computing-based platform for building and hosting web applications.

It allows users to deploy source code and artifacts to the service using a local Git repository, or via repositories hosted on GitHub and Bitbucket.

The insecure default behavior occurs when the Local Git method is used to deploy to Azure App Service, resulting in a scenario where the Git repository is created within a publicly accessible directory.

"Malicious actors are continuously scanning the internet for exposed Git folders from which they can collect secrets and intellectual property. Besides the possibility that the source contains secrets like passwords and access tokens, leaked source code is often used for further sophisticated attacks."

News URL

https://thehackernews.com/2021/12/4-year-old-bug-in-azure-app-service.html