Azure Devops account takeover via dangling subdomain takeover
Published Mon, Nov 7th, 2022
Platforms
Summary
Binary Security discovered and registered two dangling cloudapp.azure.com subdomains corresponding to subdomains at visualstudio.com. Had these been discovered and registered by an attacker, this would have been equivalent to a 1-click vulnerability for Azure DevOps: the attacker could have crafted a URL referring to the sign-in API for Azure DevOps Services (app.vssps.visualstudio.com) using one of the two subdomains in the "reply_to" field (since subdomains of visualstudio.com would be allowed by the API). If clicked on by a target Azure DevOps user, this would have sent an authentication token to an attacker-controlled server, thereby allowing account takeover.
Affected Services
DevOps
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Thu, Feb 18th, 2021
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Christian August Holm Hansen, Binary Security
