Check Point security researchers spotted flaws in Microsoft Azure that could have let hackers take control over the cloud servers.
The work was part of a wider project looking at cloud infrastructure, dubbed “Attack the Cloud”, in which Check Point wants to “break the assumption that cloud infrastructures are secure”.
With Microsoft Azure, the researchers spotted two flaws. The first was in Azure Stack, and could have let criminals take screenshots or see other sensitive information by taking advantage of a vulnerability in the “DataService” function, which didn’t require authentication.
“This security flaw would enable a hacker to get sensitive information of any business that has its machine running on Azure,” the researchers said. “In order to execute the exploitation, a hacker would first gain access to the Azure Stack Portal, enabling that person to send unauthenticated HTTP requests that provide screenshots and information about tenants and infrastructure machines.”
The second flaw was in the Azure App Service, where businesses provision and deploy apps and business processes, and could have allowed hackers to take control of a server.
“The end result would be that a hacker could potentially take control over the entire Azure server, and consequently take control over all your business code,” the researchers said.
The researchers could get into applications, see data and take over accounts by creating a free user in Azure Cloud and running malicious functions.
“Exploiting this vulnerability in all of the plans could allow us to compromise Microsoft’s App Service infrastructure,” the researchers explain. “However, exploiting it specifically on a Free/Shared plan could also allow compromising other tenant apps, data, and account.”
Check Point disclosed the findings to Microsoft in January and June last year, with patches for both issued at the end of 2019. The first flaw was awarded $5,000 from Microsoft’s bug bounty programme; the second earned $40,000.
The researchers emphasised in a report on the second flaw that while the cloud is “considered safe”, it can still have vulnerabilities: “The cloud is not a magical place.”