Another reason to be worried by Microsoft’s Azure security guidelines which state “Identity is the new perimeter”.
Well, the perimeter is not a gate but a cattle guard, and I am not surprised to see some wolves eating a secret and a cow swaggering into the road.
Azure service APIs have always conflated the principles of “reachability from the public internet” and “anonymous access” into a single concept called “Public Access” which, for Azure KV, has 6 different public/private configuration combinations!
This vulnerability report did not include the Key Vault Networking settings for “Public network access”, so more testing (but not much more) is needed to see if the proxy side door can circumvent a resource ACL or private endpoint or both.
At this point I have close to a decade of working with Azure and AWS/GCP and I can confidently say Azure is the worst when it comes to security, objectively.
Performance, "I don't like the portal", service and capacity availability, and such complaints are somewhat subjective or fixable but I deeply believe Microsoft is the most insecure of the cloud giants on a measurable level.
Anyone that is serious about security should just avoid Microsoft, this has honestly been the case since the early '00s at the least.
As someone who is greatly motivated to moving off Azure (to onprem, not to another cloud), do you know of any good collection of Azure security issues I could use as 'ammunition'? Would be greatly appreciated!
I have some notes somewhere but unfortunately they don't have citations, these are just some of the vulns they've had in the last couple years:
• Storm-0558 Breach (2023): Chinese hackers exploited a leaked signing key from a crash dump to access U.S. government emails, affecting 60,000+ State Department communications
• Azure OpenAI Service Exploitation (2024): Hackers bypassed AI guardrails using stolen credentials to generate illicit content, leading to Microsoft lawsuits against developers in Iran, UK, and Vietnam
• CVE-2025-21415 (CVSS 9.9): Spoofing vulnerability in Azure AI Face Service allowed authentication bypass and privilege escalation
• CVE-2023-36052: Azure CLI logging flaw exposed plaintext credentials in CI/CD pipelines, risking sensitive data leakage
• Azurescape (2022): Container escape vulnerability enabled cross-tenant access in Azure Container Instances, discovered by Palo Alto Networks
• ChaosDB (2022): Wiz researchers exploited CosmosDB’s Jupyter Notebook integration to access thousands of customer databases including Fortune 500 companies
• Executive Account Takeover Campaign (2024): Phishing campaign compromised 500+ executive accounts via Azure collaboration tools with MFA manipulation
If your company or workplace is considering migrating from cloud to on-prem or from one cloud to another, I do this professionally btw, feel free to reach out at this temporary email and we can chat: pale.pearl2178 at fastmail.com (to prevent my real email being scraped from HN).
Binary Security found the undocumented APIs for Azure API Connections. In this post we examine the inner workings of the Connections allowing us to escalate privileges and read secrets in backend resources for services ranging from Key Vaults, Storage Blobs, Defender ATP, to Enterprise Jira and SalesForce servers.
Well at the bottom of the article, they mention that Microsoft first closed the issue as invalid, and on the second attempt they closed it as "cannot be reproduced" (after fixing it).
I've reported a trivial way to infer details about passwords in Windows. (Ctrl-arrow in password fields in Windows 8 jumped by character group even when hidden so if a prefilled password was 123 abc.de it would stop after 3, after space (I think), after c, after dot and finally after e.)
All I got was an email: that is interesting bye bye. But it was fixed in the next patch or the next after I think.
So I didn't care to report the two bigger problems I found with Azure Information Protection [1][2] I thought about reporting them but decided against it.
And I will continue to tell people that I don't care to do free work for MS when they won't even give me a t-shirt, a mug or even acknowledge it.
Maybe if one is a security researcher it can be worth it but if you just find something interesting you'll probably be better rewarded by reddit or HN, yes, the upvotes are worthless but less so than a dismissive email.
[1] one in the downloadable AIP tooling where you can easily smuggle clear text information with rock solid plausible deniability - I found it by accident after having implemented a part of a pipeline in the most obvious way I could think of.
[2]: the second had to do with how one can configure SharePoint to automatically protect files with AIP on download, the only problem being if you logged in using another login sequence (sorry for the lack of details, this was before the pandemic and it was just a small part of what I was working on at the time) SharePoint would conveniently forget all about it despite all efforts by me, the security admin at the company and the expert that Microsoft sent to fix it.
Ha ... ha ... ha ... ha ... did they give you the run around for several months until you dropped the issue? It's actually pretty astounding that they don't get sued for this practice. If a company is paying for support and are given illiterate noobs then that is breach of contract I would think. I would never recommend entering a contract with MSFT, they produce trash products they can't support and are more invested in their Legal team than actual product.
I thought the same when a friend of mine reported something to Apple. I would guess it's SOP at this point across big tech, unless something is too big to ignore.
>The Connector for Key Vaults is maybe the one with the highest impact.
Yeah, no joke. Considering how well protected Azure Key Vaults typically are, and what's in them (secrets, certificates etc) this is huge way to compromise a lot of other things. It's finding the keys to the doors.
Another reason to be worried by Microsoft’s Azure security guidelines which state “Identity is the new perimeter”.
Well, the perimeter is not a gate but a cattle guard, and I am not surprised to see some wolves eating a secret and a cow swaggering into the road.
Azure service APIs have always conflated the principles of “reachability from the public internet” and “anonymous access” into a single concept called “Public Access” which, for Azure KV, has 6 different public/private configuration combinations!
This vulnerability report did not include the Key Vault Networking settings for “Public network access”, so more testing (but not much more) is needed to see if the proxy side door can circumvent a resource ACL or private endpoint or both.
At this point I have close to a decade of working with Azure and AWS/GCP and I can confidently say Azure is the worst when it comes to security, objectively.
Performance, "I don't like the portal", service and capacity availability, and such complaints are somewhat subjective or fixable but I deeply believe Microsoft is the most insecure of the cloud giants on a measurable level.
Anyone that is serious about security should just avoid Microsoft, this has honestly been the case since the early '00s at the least.
As someone who is greatly motivated to moving off Azure (to onprem, not to another cloud), do you know of any good collection of Azure security issues I could use as 'ammunition'? Would be greatly appreciated!
UPD: note to self - this seems like a good resource https://www.cloudvulndb.org/results
I have some notes somewhere but unfortunately they don't have citations, these are just some of the vulns they've had in the last couple years:
• Storm-0558 Breach (2023): Chinese hackers exploited a leaked signing key from a crash dump to access U.S. government emails, affecting 60,000+ State Department communications
• Azure OpenAI Service Exploitation (2024): Hackers bypassed AI guardrails using stolen credentials to generate illicit content, leading to Microsoft lawsuits against developers in Iran, UK, and Vietnam
• CVE-2025-21415 (CVSS 9.9): Spoofing vulnerability in Azure AI Face Service allowed authentication bypass and privilege escalation
• CVE-2023-36052: Azure CLI logging flaw exposed plaintext credentials in CI/CD pipelines, risking sensitive data leakage
• Azurescape (2022): Container escape vulnerability enabled cross-tenant access in Azure Container Instances, discovered by Palo Alto Networks
• ChaosDB (2022): Wiz researchers exploited CosmosDB’s Jupyter Notebook integration to access thousands of customer databases including Fortune 500 companies
• Executive Account Takeover Campaign (2024): Phishing campaign compromised 500+ executive accounts via Azure collaboration tools with MFA manipulation
If your company or workplace is considering migrating from cloud to on-prem or from one cloud to another, I do this professionally btw, feel free to reach out at this temporary email and we can chat: pale.pearl2178 at fastmail.com (to prevent my real email being scraped from HN).
Great, thanks!
For me it's just a distant dream now, but I bet business will be booming for you in the coming years, especially if you're located in Europe ;)
This list of vulns nobody was ever bothered with except for 1 (Storm-0558) doesn't prove your ridiculously sensational comment above
Binary Security found the undocumented APIs for Azure API Connections. In this post we examine the inner workings of the Connections allowing us to escalate privileges and read secrets in backend resources for services ranging from Key Vaults, Storage Blobs, Defender ATP, to Enterprise Jira and SalesForce servers.
That’s a scary vulnerability. There’s no mention of the bug bounty paid out for it but I hope it was substantial.
Well at the bottom of the article, they mention that Microsoft first closed the issue as invalid, and on the second attempt they closed it as "cannot be reproduced" (after fixing it).
So from that I can imply there was no payment.
I've reported a trivial way to infer details about passwords in Windows. (Ctrl-arrow in password fields in Windows 8 jumped by character group even when hidden so if a prefilled password was 123 abc.de it would stop after 3, after space (I think), after c, after dot and finally after e.)
All I got was an email: that is interesting bye bye. But it was fixed in the next patch or the next after I think.
So I didn't care to report the two bigger problems I found with Azure Information Protection [1][2] I thought about reporting them but decided against it.
And I will continue to tell people that I don't care to do free work for MS when they won't even give me a t-shirt, a mug or even acknowledge it.
Maybe if one is a security researcher it can be worth it but if you just find something interesting you'll probably be better rewarded by reddit or HN, yes, the upvotes are worthless but less so than a dismissive email.
[1] one in the downloadable AIP tooling where you can easily smuggle clear text information with rock solid plausible deniability - I found it by accident after having implemented a part of a pipeline in the most obvious way I could think of.
[2]: the second had to do with how one can configure SharePoint to automatically protect files with AIP on download, the only problem being if you logged in using another login sequence (sorry for the lack of details, this was before the pandemic and it was just a small part of what I was working on at the time) SharePoint would conveniently forget all about it despite all efforts by me, the security admin at the company and the expert that Microsoft sent to fix it.
> the expert that Microsoft sent to fix it.
Ha ... ha ... ha ... ha ... did they give you the run around for several months until you dropped the issue? It's actually pretty astounding that they don't get sued for this practice. If a company is paying for support and are given illiterate noobs then that is breach of contract I would think. I would never recommend entering a contract with MSFT, they produce trash products they can't support and are more invested in their Legal team than actual product.
I thought the same when a friend of mine reported something to Apple. I would guess it's SOP at this point across big tech, unless something is too big to ignore.
It's a feature not a bug: "Azure’s Security Vulnerabilities Are Out of Control" - https://www.lastweekinaws.com/blog/azures_vulnerabilities_ar...
> Let’s start with some empathy, because let’s face it: Nobody sets out to build something insecure except maybe a cryptocurrency exchange.
:-)
At least this new one seems to have been fixed within two months: 6 Jan to Feb 20th.
So this was vulnerable ? https://azure.microsoft.com/en-us/explore/global-infrastruct...
>The Connector for Key Vaults is maybe the one with the highest impact.
Yeah, no joke. Considering how well protected Azure Key Vaults typically are, and what's in them (secrets, certificates etc) this is huge way to compromise a lot of other things. It's finding the keys to the doors.