Unauthorized Access to Cross-Tenant Applications in a Microsoft Azure Service

[Freki123]

Content source

https://www.tenable.com/security/research/tra-2023-25

A researcher at Tenable has discovered an issue that enables limited, unauthorized access to cross-tenant applications and sensitive data (including but not limited to authentication secrets).
Tenable is continuing to work with Microsoft to coordinate the disclosure process, and will update this advisory with more details by 28 September 2023.

Since MS still needs time to fix it in the second try no proofs-of-concept published.

Edit for added source:

“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” Yoran wrote. “They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft.”

Microsoft comes under blistering criticism for “grossly irresponsible” security

Azure looks like a house of cards collapsing under the weight of exploits and vulnerabilities.

arstechnica.com

 

[Sandbox Breaker - DFIR]

I know someone who switched from G Workspace to 365. Told them that was a bad idea. Last week they called me asking for spam gateway help . That's just the start. I truly don't think MS can hold its weigh in this weight class!

 

[Freki123]

Nothing screams more "We take security seriously" than the timeline. Bug reported and nothing happens for three month till the first "partial" fix
But the moment you report the problem to the media MS starts to move at rocketspeed...