Continuing the #BingBang thread, many have asked how we found the vulnerable Bing Trivia endpoint.
Let me share our unique Azure Active Directory cloud reconnaissance technique to find misconfigured authentication prompts🧵
We wanted to scan the internet🌎and measure how many Azure customers mistakenly misconfigured their Azure App Service and Azure Functions authentication, allowing anyone to log in
Sep 20, 2022 • 7 tweets • 2 min read
Vulnerability full disclosure - New Oracle cloud vulnerability allowed users to access the virtual disks of other Oracle customers >>
We found the vulnerability while working on the Wiz/Oracle cloud (OCI) integration. When trying to attach to another OCI user's virtual disk, we were surprised to find the operation succeeded! We received read/write access to disks in another account that does not belong to us 🤯
Aug 21, 2021 • 6 tweets • 3 min read
(1/6) @awscloud just fixed few more cross-account vulnerabilities that we found and reported during our AWS research >>> @wiz_io@amiluttwak
(2/6) Vulnerability #1: Cross-Account Lambda Invocation in AWS Config
Apparently, AWS config could invoke Config supported lambda function in other accounts (!)