A security vulnerability has been discovered in Microsoft’s Azure App Service that has exposed the source code of client applications written in Java, Node, PHP, Python and Ruby for at least four years since September 2017.
The vulnerability, code name “Not legitimate“, was reported to the tech giant by Wiz researchers on October 7, 2021, following which mitigation measures were taken to fix the information disclosure bug in November. Microsoft noted a “limited subset of customers” are at risk, adding that “customers who deployed code to App Service Linux through Local Git after files had already been created in the app were the only customers affected.”
the Azure Application Service (aka Azure Web Apps) is a cloud-based platform for building and hosting web applications. It allows users to deploy source code and artifacts to the service using a Git repository, or through repositories hosted on GitHub and Bitbucket.
The default insecure behavior occurs when the Local Git method is used to deploy to Azure App Service, resulting in a scenario where the Git repository is created in a publicly accessible directory (home / site / wwwroot).
While Microsoft adds a “web.config” file to the .git folder – which contains the state and history of the repository – to restrict public access, configuration files are only used with C # or ASP.NET applications that rely on Microsoft’s own IIS web servers, leaving some aside from applications coded in other programming languages like PHP, Ruby, Python or Node which are deployed with different web servers like Apache, Nginx and Flask.
“Basically all a malicious actor had to do was grab the target application’s ‘/.git’ directory and grab its source code,” said Shir Tamari, researcher at Wiz. “Malicious actors are constantly searching the Internet for exposed Git files from which they can collect secrets and intellectual property. Besides the possibility that the source may contain secrets such as passwords and access tokens, the leaked source code is often used for other sophisticated attacks.
“Finding vulnerabilities in software is much easier when the source code is available,” Tamari added.