A security vulnerability has been discovered in Microsoft’s Azure App Service that has exposed the source code of client applications written in Java, Node, PHP, Python and Ruby for at least four years since September 2017.
The vulnerability, named “NotLegit”, was reported to the tech giant by researchers at Wiz on October 7, 2021, following which mitigation measures were taken to fix the information disclosure bug in November. . Microsoft said a “limited subset of customers” was at risk, adding that “customers who deployed code to the Linux App Service through Local Git after files had already been created in the app were the only ones. affected customers “.
Azure App Service (aka Azure Web Apps) is a cloud-based platform for building and hosting web applications. It allows users to deploy source code and artifacts to the service using a local Git repository or through repositories hosted on GitHub and Bitbucket.
The default insecure behavior occurs when the local Git method is used to deploy to Azure App Service, resulting in a scenario where the Git repository is created in a publicly accessible directory (home / site / wwwroot).
Although Microsoft adds a “web.config” file to the .git folder – which contains the state and history of the repository – to restrict public access, configuration files are only used with C # or ASP applications. .NET which are based on those of Microsoft. IIS web servers, leaving aside applications coded in other programming languages like PHP, Ruby, Python or Node which are deployed with different web servers like Apache, Nginx and Flask.
“Basically all a malicious actor had to do was grab the target application’s ‘/.git’ directory and grab its source code,” said Shir Tamari, researcher at Wiz. “Malicious actors are constantly searching the Internet for exposed Git files from which they can collect secrets and intellectual property. Besides the possibility that the source may contain secrets such as passwords and access tokens, the leaked source code is often used for other sophisticated attacks.
“Finding vulnerabilities in software is much easier when the source code is available,” Tamari added.