Cloud computing: Microsoft fixes Azure flaw that could have allowed access to other accounts

Microsoft has fixed a bug in the Azure Automation service that could have allowed one account owner to access another customer’s accounts using the same service. 

Azure Automation lets customers automate cloud management tasks or jobs, update Windows and Linux systems, and automate other repetitive tasks. 

According to security firm Orca, the bug, which it reported to Microsoft on December 6, allowed a potential attacker on the service to “gain full control over resources and data of a targeted account, depending on the permissions of the account.”

SEE: What is cloud computing? Everything you need to know about the cloud explained

Orca researcher Yanir Tsarimi says the flaw he found allowed him to interact with an internal Azure server that manages the sandboxes of other customers. 

“We managed to obtain authentication tokens for other customer accounts through that server. Someone with malicious intentions could’ve continuously grabbed tokens, and with each token, widen the attack to more Azure customers,” explains Tasrimi. 

Microsoft has clarified that only Azure Automation accounts that used Managed Identities tokens for authorization and an Azure Sandbox for job runtime and execution were exposed.  

However, Orca also notes that the Managed Identities feature in an Automation account is enabled by default. 

Microsoft says

Read More: