A flaw in Microsoft’s Azure App Service has been exposing customer source code for years, security researchers have discovered.
According to cloud security providers Wiz.io, Microsoft’s platform for building and hosting web apps has contained insecure default behavior in its Linux variant since 2017, and as a result, PHP, Node, Python, Ruby and Java customer source code had been exposed.
The company named the flaw ‘NotLegit’, and said it was “probably exploited in the wild”. IIS-based applications are safe, though. After deploying a vulnerable app of their own, it only took Wiz.io four days to get a threat actor trying to access the contents of the source code folder on the exposed endpoint.
