Error in Azure Gives Control Over Someone Else’s Account

Read Time:1 Minute, 19 Second

A security researcher has discovered that it is possible in Azure to access the account of others. However, there are no indications that malicious parties have done this, according to Microsoft.

The vulnerability is called AutoWarp and was discovered by Yanir Tsarimi of security company Orca Security. He discovered the problem on December 7 and reported it the next day, with Microsoft already fixing the problem on December 10.

AutoWarp could be abused via the Azure Automation Services, a service to automate actions with Powershell or Python, among other things. To do that, you need a link to a managed identity that has the necessary permissions. But due to poor security, it is also possible to obtain the managed identity tokens from other automation commands. As a result, you also get access to someone else’s account.

In a blog post and on Twitter, Tsarimi explains his method in detail. He says he randomly tested a number of features in Azure, looking for potential problems, and found, among other things, that specific ports allowed access to specific managed identity tokens.

In his own words, Tsarimi was able to gain access to the account of a global telecom company, two car manufacturers, a banking group and four large accounting firms.

After reporting to Microsoft, the vulnerability was kept quiet for a while so that Microsoft could find out whether variants of the vulnerability existed. In the meantime, the company says there are no traces that hackers have exploited the vulnerability. However, Tsarimi himself received a bug bounty of 40,000 euros for his discovery.