Microsoft notifies customers of Azure bug that exposed their source code

Microsoft has notified earlier this month a select group of Azure customers impacted by a recently discovered bug that exposed the source code of their Azure web apps since at least September 2017.

The vulnerability was discovered by cloud security firm Wiz and reported to Microsoft in September. The issue was fixed in November, and Microsoft has spent the last few weeks investigating how many customers were impacted.

Vulnerability impacts Azure website hosting feature

The issue, nicknamed NotLegit, resides in Azure App Service, a feature of the Azure cloud that allows customers to deploy websites and web apps from a source code repository.

Wiz researchers said that in situations where Azure customers selected the "Local Git" option to deploy their websites from a Git repository hosted on the same Azure server, the source code was also exposed online.

All PHP, Node, Ruby, and Python applications deployed via this method were impacted, Microsoft said in a blog post today. Only apps deployed on Linux-based Azure servers were impacted, but not those hosted on Windows Server systems.

Apps deployed as far back as 2013 were impacted, although the exposure began in September 2017, when the vulnerability was introduced in Azure's systems, the Wiz team said in a report today.

Vulnerability was most likely exploited

The most dangerous exposure scenarios are situations where the exposed source code contained a .git configuration file that, itself, contained passwords and access tokens for other customer systems, such as databases and APIs.

For the past decade, there have been multiple botnets that have constantly been scanning the internet for accidentally exposed .git files, knowing that their content could allow threat actors to gain access to more valuable enterprise infrastructure.

While threat actors might not have known of the NotLegit vulnerability in itself, Shir Tamari, Head of Research at Wiz, told The Record that he believes the vulnerability was very likely exploited indirectly.

In an interview today, Tamari said they created an insecure Azure-hosted website for their tests, and during the course of four hours, they observed five different threat actors access the exposed source code and the .git configuration file.