Security News > 2022 > March > Azure flaw allowed users to control others' accounts

Microsoft has acknowledged the existence of a flaw in its Azure cloud computing service that allowed users full access to other users' accounts.

As Microsoft has admitted, its service went a bit too far and "a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account's Managed Identity."

Orca Security's Yanir Tsarimi tested the extent of the flaw - ironically by using Azure Automation.

The good news is that Tsarimi ran those tests on December 7, 2021 - a day after he reported the flaw to Microsoft.

On December 10, Microsoft fixed the flaw and started to look for other variations on the theme.

"It's also the third major flaw recently found in Azure. In September 2021 the company revealed the"OHMIGOD remote code execution mess, and in December 2021 disclosed the NotLegit flaw that allowed unauthorized file downloads and was present for four years.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/08/azure_autowarp_flaw/