Leaky Azure storage account puts software developer IP at risk

A degree of mystery surrounds the provenance of a newly discovered cache of confidential source code data that was left exposed and accessible in a misconfigured Microsoft Azure Blob cloud storage account.

The data appears to originate from a series of pitches made to Microsoft Dynamics by various companies, and many of them include software source code for products that have subsequently been released. The full dataset contains 63GB of data contained in almost 4,000 separate files and, beside proprietary code, includes business pitch decks, product descriptions and hardcoded passwords.

It was found by vpnMentor researchers led by Noam Rotem in January 2021, but after multiple attempts at responsible disclosure, the team has only been able to make the very tentative assumption that the exposure originates from within Microsoft itself.

“Each of these firms – including some well-known companies – was exposed, with highly sensitive internal data about their operations and product lines publicly accessible,” said Rotem in a disclosure blog published today.

“After an initial investigation, we identified two potential owners, starting with Canadian consulting firm Adoxio. As KPMG now owns Adoxio, we contacted KPMG to notify it of the breach. KPMG replied, confirming they didn’t own the data, and suggested it belonged to Microsoft.

“We also suspected Microsoft was responsible. So, we then reached out to the company several times to ensure the files were made secure and to confirm the data belonged to them. While we received only automated responses from the company, the Azure Blob account was secured in the meantime.”

Rotem added: “Over two months after initially discovering the vulnerability, we finally received a reply from Microsoft. However, the company appears to have mistaken the data breach disclosure for a disclosure of a flaw in its software. In its response, Microsoft failed to acknowledge the data breach or claim responsibility. As a result, we have no way to verify whether the file belongs to Microsoft.”

Although now secured, the data exposure is significant because if a malicious actor was to obtain source code, it would be much easier for them to find vulnerabilities within a product or database and manipulate it to gain access to more sensitive data held by their target users – bypassing normal data security protocols.

They could then exfiltrate further data, or even assume remote control of the systems running the code – enabling them to establish persistence within their target network and conduct further attacks, including ransomware.

Source code data could also be passed to competitors, putting companies that initially developed it at risk of industrial espionage.

Rotem said the owner of the Azure Blob account could easily have avoided the incident by securing their servers, implementing access rules, and not leaving systems that don’t require authentication open to the internet. As with other cloud storage products, such as AWS S3, Azure Blobs are not publicly accessible by default, and Microsoft provides thorough recommendations and instructions on how to do so.