Cloud Security

Misconfiguration issue in Azure Active Directory gets patched

Microsoft has released a patch to address a misconfiguration issue in Azure Active Directory that could allow unauthorized access to crucial applications, The Hacker News reports. The root of the vulnerability lies in a so-called Shared Responsibility confusion in which an Azure app can be configured improperly such that users can access it from any Microsoft tenant without authorization. Researchers at cloud security firm Wiz said that several Microsoft apps including the Bing Trivia app also exhibit this behavior, which in Bings case poses the critical risk of being used to launch a cross-site scripting attack to steal Outlook emails, OneDrive files,Teams messages, and SharePoint documents. A malicious actor with the same access could've hijacked the most popular search results with the same payload and leak sensitive data from millions of users, according to Wiz researcher Hillai Ben-Sasson. Microsoft awarded Wiz a $40,000 bug bounty after being informed of the vulnerability.

Related

LockBit-leaked DC city agency data from third party

Washington, D.C.'s Department of Insurance, Securities and Banking has disclosed that 800GB of data claimed to have been stolen by the LockBit ransomware operation was obtained from an attack against third-party software provider Tyler Technologies following the ransomware gang's threats to expose 1GB of the exfiltrated data to coerce the agency into providing the demanded ransom, reports The Record, a news site by cybersecurity firm Recorded Future.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.