Share this page!

Shir @ fwd:cloudsec Profile picture
@shirtamari
Apr 4 7 tweets 3 min read Twitter logo Read on Twitter
Continuing the #BingBang thread, many have asked how we found the vulnerable Bing Trivia endpoint.

Let me share our unique Azure Active Directory cloud reconnaissance technique to find misconfigured authentication prompts🧵
We wanted to scan the internet🌎and measure how many Azure customers mistakenly misconfigured their Azure App Service and Azure Functions authentication, allowing anyone to log in
Most Azure App Service and Azure Functions are hosted under *.azurewebsites.net. So we used (the amazing 💙) @CommonCrawl and a commercial Passive DNS service to gather hundreds of thousands of azurewebsites subdomains
We then executed an HTTP scan across all of them and tried to detect the Microsoft Login page
We quickly noticed the AAD login page discloses the application's Client ID
This ID can provide us with a lot of information! We can query the Azure Graph API about it and discover details like App publisher, tenant ID, and if the app supports multi-tenant authentication🔎
Filtering results for multi-tenant apps under Microsoft's tenant eventually yielded bingtrivia.azurewebsites.net🎯

Then, it was just a matter of logging in and discovering the power that came with it⚡️

(As @Hillai describes in the original thread)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Shir @ fwd:cloudsec

Shir @ fwd:cloudsec Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @shirtamari

Shir @ fwd:cloudsec Profile picture
Sep 20, 2022
Vulnerability full disclosure - New Oracle cloud vulnerability allowed users to access the virtual disks of other Oracle customers >>
We found the vulnerability while working on the Wiz/Oracle cloud (OCI) integration. When trying to attach to another OCI user's virtual disk, we were surprised to find the operation succeeded! We received read/write access to disks in another account that does not belong to us 🤯
Each virtual disk in Oracle's cloud has a unique identifier called OCID. This identifier is not considered secret, and organizations do not treat it as such.
Read 7 tweets
Shir @ fwd:cloudsec Profile picture
Aug 21, 2021
(1/6) @awscloud just fixed few more cross-account vulnerabilities that we found and reported during our AWS research >>>
@wiz_io @amiluttwak ImageImage
(2/6) Vulnerability #1: Cross-Account Lambda Invocation in AWS Config
Apparently, AWS config could invoke Config supported lambda function in other accounts (!)
(3/6) #2: Cross-Account exposure of SNS topics in AWS Config and CloudTrail
When user create an SNS topic for CloudTrail and AWS Config, the default policy allows any user of CloudTrail and Config to publish notifications to the topic – exposing it for manipulations and abuse.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(