Microsoft has fixed a bug in the Azure Automation service that could have allowed one account owner to access another customer’s accounts using the same service.
Azure Automation lets customers automate cloud management tasks or jobs, update Windows and Linux systems, and automate other repetitive tasks.
According to security firm Orca, the bug, which it reported to Microsoft on December 6, allowed a potential attacker on the service to “gain full control over resources and data of a targeted account, depending on the permissions of the account.”
Orca researcher Yanir Tsarimi says the flaw he found allowed him to interact with an internal Azure server that manages the sandboxes of other customers.
“We managed to obtain authentication tokens for other customer accounts through that server. Someone with malicious intentions could’ve continuously grabbed tokens, and with each token, widen the attack to more Azure customers,” explains Tasrimi.
However, Orca also notes that the Managed Identities feature in an Automation account is enabled by default.