Cloud Security, Cloud Security, Vulnerability Management

Security flaw found in Azure App Service exposes source code of customer apps

A building on the Microsoft Headquarters campus in Redmond, Wash. Researchers recently found a security flaw in the Microsoft Azure App Service that was promptly mitigated. (Stephen Brashear/Getty Images)

Researchers last week detected an insecure default behavior in the Azure App Service that exposed the source code of customer applications written in PHP, Python, Ruby, and Node that were deployed by using “Local Git.”

In a blog post, the Wiz Research Team said the vulnerability – dubbed NotLegit – has existed since September 2017 and more than likely has been exploited in the wild.

The Wiz researchers reported this security flaw to Microsoft on Oct. 7 of this year and by now it has been mitigated. Microsoft has since updated its security recommendations document with an additional section on securing source code. The large software vendor also updated the documentation for in-place deployments.

Leaked source code puts an organization in an incredibly vulnerable position to threat actors, who can instantly steal years of intellectual property or rapidly launch an exploit tailored to unique weaknesses in the source code,” said Jasmine Henry, field security director at JupiterOne.

“The NotLegit vulnerability is especially eye-opening since it highlights the growing security risk caused by privileged accounts and services, even in the absence of a developer error,” Henry said.

Oliver Tavakoli, chief technology at Vectra, said the impact of this vulnerability will be highly variable. Tavakoli said accessing the source code underlying an application (and possibly other files which might have been left in the same directory) may offer information that threat actors could leverage for other attacks.

“The fact that the researchers set up what amounts to a honeypot and saw the vulnerability exploited in the wild is of particular concern as it means that the vulnerability was not a well-kept secret,” Tavakoli said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.