The cloud computing skies have been somewhat stormy of late for Microsoft, which has found itself in the crosshairs of not only an attacker who abused authentication but also the firm Tenable, which pointed out that the cloud services giant has a general problem with authentication. A post by Microsoft and a write-up by Tenable both highlighted the issue of cloud authentication and illuminated some of its weaknesses.
In the Tenable post, Microsoft was taken to task for its lack of transparency in cloud security. As described by Tenable CEO Amit Yoran, the issue concerned “occurred as a result of insufficient access control to Azure Function hosts, which are launched as part of the creation and operation of custom connectors in Microsoft’s Power Platform (Power Apps, Power Automation).”
If you guessed at an Azure URL, you could obtain access even without authentication. As Yoran wrote, “It was therefore possible for an attacker who determined the hostname of the Azure Function associated with the custom connector to interact with the function, as defined by the custom connector code, without authentication. With one such hostname, an attacker could determine the hostnames for Azure Functions associated with other customers’ custom connectors, as they differed only by an integer.”
For its part, Microsoft indicated in a technical note that it had mitigated the Power Platform Custom Code information disclosure vulnerability and had notified affected customers about this issue via Microsoft 365 Admin Center (MC665159) starting on August 2023 — if you didn’t receive the notification, no action is required.
APIs are at the heart of the cloud security concerns
Application programming interfaces (API), which offer a service or connection between other pieces of software without requiring a human login, are at the center of the issue. With APIs, it’s often difficult to access the security until something happens.
Organizations often need to hire specialized consultants to review the software and ensure there are no obvious vulnerabilities. From open-source to proprietary software, unless it’s reviewed by specialists, vendor review alone is typically not good enough to find any issues.