back to article Azure admins warned to disable shared key access as backdoor attack detailed

A design flaw in Microsoft Azure – that shared key authorization is enabled by default when creating storage accounts – could give attackers full access to your environment, according to Orca Security researchers. "Similar to the abuse of public AWS S3 buckets seen in recent years, attackers can also look for and utilize Azure …

  1. DJV Silver badge

    Another example...

    Another Microsoft "security is an afterthought" example.

  2. Pascal Monett Silver badge
    Flame

    "these permissions could be abused" . . .

    . . . but it's no big deal actually.

    Sure, Borkzilla, it's not your data that is at risk, so "no big deal".

    But your created a security environment which "could be abused".

    Tell me, did you ever think of pitting your security against an official Red Team ? No ?

    Of course not, silly me. That's what customers are for.

    1. Georgski

      Re: "these permissions could be abused" . . .

      This is a bit of a nothingburger; if you get the super key then you can use the super key. No exploits were used to obtain the super key.

      What they could do however is disable super keys by default. Sounds like they are thinking of doing this someday. IMO they should do it sooner than that.

  3. Scott 26

    I've always thought the data plane RBAC for Storage was weird - "I want Read Only access".... ok, but you need to listKeys and once you have the keys, you have RW..... ffs!

  4. MatthewSt Silver badge

    Is that all?

    So you need a specifically configured set of security rights, a specific use of Azure resources deployed... and a compromised account that has access to do all of the things that you need to do. If something you're doing relies on you having valid user credentials, then that's not a security issue.

    As a side, it's all well and good recommending you disable the shared access keys but Azure Functions don't yet (as far as I know) support using Managed Identities to talk to Storage

  5. Ken Moorhouse Silver badge

    Yawn

    It must be a slow news day today...

    1. ecofeco Silver badge

      Re: Yawn

      Sir, this is Arby's.

    2. Ken Moorhouse Silver badge

      Re: 1 thumb down

      I see the Microsoft fan club have a heavy presence in this topic.

  6. Anonymous Coward
    Anonymous Coward

    Clearing up

    Are they referring to access keys or shared access signatures?

  7. ecofeco Silver badge

    Azure is on awinning streak!

    Oh my. Lots of fun with Azure over the last 60 days.

    Fun I tell you!

    Not.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like