A security flaw was discovered in Microsoft’s Azure App Service that exposed the source code of client applications written in Java, Node, PHP, Python and Ruby for at least four years since September 2017.
According to Wiz researchers, the vulnerability, named “Not Legit,” was first reported to the tech giant on October 7, 2021, and mitigations were implemented to fix the bug in November. Microsoft said “a limited subset of customers” are at risk. “Customers who deployed code to App Service Linux via Local Git after the files had already been created in the application are the only customers affected. »
Azure App Service (aka Azure Web Apps) is a platform for building and hosting web applications in the cloud. Source code and artifacts can be deployed to the service using a local Git repository or through the GitHub and Bit bucket repositories. When the Local Git method is used to deploy to Azure App Service, the Git repository is created in a publicly accessible directory. (home/site/wwwroot) Microsoft adds a “web. config” in the repository’s .git folder to restrict public access, but these configuration files are only used by C# or ASP.NET applications that rely on Microsoft’s IIS web servers, leaving out applications PHP, Ruby, Python and Node which run on different web servers like Apache, Nginx or Flask.
Shir Tamari, a researcher at Wiz, said a malicious actor simply needs to grab the target app’s “/.git” directory and grab its source code. Malicious actors continually search the Internet for exposed Git folders from which they can obtain secrets and intellectual property. Additionally, leaked source code can often be used for more sophisticated dangerous attacks.