Kevin BeaumontAug 4, 2023

The disclosure timeline on this post is just not acceptable by Microsoft.

I made this plea on Twitter a while ago - security researchers, please include full timelines like this in disclosures. This one isn’t isolated. The more this kind of thing comes out in public, the more it forces cloud providers to properly resource security fixes.

https://www.tenable.com/security/research/tra-2023-25

Unauthorized Access to Cross-Tenant Applications in Microsoft Power Platform

A researcher at Tenable has discovered an issue that enables limited, unauthorized access to cross-tenant applications and sensitive data (including but not limited to authentication secrets). Background The issue occurred as a result of insufficient access control to Azure Function hosts, which are launched as part of the creation and operation of custom connectors in Microsoft’s Power Platform (Power Apps, Power Automation).

Tenable®
Show threadKevin Beaumont

One thing I’ve noticed is Mandiant now assign their own CVE like numbers to cloud provider vulnerabilities like this.

There really needs to be a properly, commonly agreed up system like CVE for this (not run by Google). I know there’s attempts at this, I hope they take off.

The illusion the cloud is magically secure is just that; an illusion. At the minute cloud providers are hiding behind lack of regulation, lack of transparency & deliberate subterfuge to protect shareholders. It’s not great.

Aug 4, 2023 at 6:00pmWeb
Show threadClaus Cramon HoumannAug 4, 2023
@GossiTheDog read EUCS when eventually published
Show threadNils Goroll 🕊️Aug 4, 2023
@GossiTheDog the main issue, imho: the oligopolistic cloud is as closed as windows95.