Security News > 2021 > December > Four years: That's how long Azure's App Service had a source code leak bug
Microsoft has revealed a vulnerability in its Azure App Service for Linux allowed the download of files that users almost certainly did not intend to be made public.
Microsoft bills the Azure App Service as just the thing if you want to "Quickly and easily create enterprise-ready web and mobile apps for any platform or device, and deploy them on a scalable and reliable cloud infrastructure."
The omission was oddly prescient, because cloud security outfit Wiz probed the service and found what it described as "Insecure default behaviour in the Azure App Service that exposed the source code of customer applications written in PHP, Python, Ruby, or Node, that were deployed using 'Local Git'.".
The core of the flaw is that when Azure App Service users uploaded their git repositories to the service, the repos landed in the publicly accessible directory /home/site/wwwroot directory.
Wiz's post states that it created a vulnerable Azure App Service application and within four days detected multiple attempts to reach its.
Wiz has form spotting bad Azure bugs: it also found the ChaosDB flaw that allowed unauthorised read and write access to Microsoft's Azure Cosmos DB, and the "OMIGOD" family of flaws that allowed unauthorized code execution on Azure servers.