medium

Azure Devops account takeover via dangling subdomain takeover

Published Mon, Nov 7th, 2022

Platforms

Summary

Binary Security discovered and registered two dangling cloudapp.azure.com subdomains corresponding to subdomains at visualstudio.com. Had these been discovered and registered by an attacker, this would have been equivalent to a 1-click vulnerability for Azure DevOps: the attacker could have crafted a URL referring to the sign-in API for Azure DevOps Services (app.vssps.visualstudio.com) using one of the two subdomains in the "reply_to" field (since subdomains of visualstudio.com would be allowed by the API). If clicked on by a target Azure DevOps user, this would have sent an authentication token to an attacker-controlled server, thereby allowing account takeover.

Affected Services

DevOps

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://www.binarysecurity.no/posts/2022/11/azure-devops-takeover

Contributed by https://github.com/korniko98

Disclosure Date

Thu, Feb 18th, 2021

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Christian August Holm Hansen, Binary Security

More vulnerabilities...

medium

CosMiss

Cosmos DB notebooks lacked an authentication check, meaning that if an attacker somehow had prior knowledge of a notebook’s temporary ‘forwardingId’ (a 128bit cryptographically random GUID assigned...

Lidor Ben Shitrit, Roee Sag...

Tue, Nov 1st, 2022

medium

Azure CLI code injection vulnerability

Azure CLI contained a code injection vulnerability that could be exploited in a scenario where the host runs a command where parameter values have been provided by an external untrusted source - th...

Microsoft

Tue, Oct 25th, 2022

BlueBleed

In September 22', SOCRadar discovered an insecure public Azure blob storage owned by Microsoft (olyympusv2.blob.core.windows[.]net). This blob storage was used for storing emails and other document...

SOCRadar

Wed, Oct 19th, 2022

View all