Another example...
Another Microsoft "security is an afterthought" example.
A design flaw in Microsoft Azure – that shared key authorization is enabled by default when creating storage accounts – could give attackers full access to your environment, according to Orca Security researchers. "Similar to the abuse of public AWS S3 buckets seen in recent years, attackers can also look for and utilize Azure …
. . . but it's no big deal actually.
Sure, Borkzilla, it's not your data that is at risk, so "no big deal".
But your created a security environment which "could be abused".
Tell me, did you ever think of pitting your security against an official Red Team ? No ?
Of course not, silly me. That's what customers are for.
This is a bit of a nothingburger; if you get the super key then you can use the super key. No exploits were used to obtain the super key.
What they could do however is disable super keys by default. Sounds like they are thinking of doing this someday. IMO they should do it sooner than that.
So you need a specifically configured set of security rights, a specific use of Azure resources deployed... and a compromised account that has access to do all of the things that you need to do. If something you're doing relies on you having valid user credentials, then that's not a security issue.
As a side, it's all well and good recommending you disable the shared access keys but Azure Functions don't yet (as far as I know) support using Managed Identities to talk to Storage