MY BRAND BOOK Microsoft fixes flaw after Tenable CEO calls it ‘grossly irresponsible’

Microsoft fixes flaw after Tenable CEO calls it ‘grossly irresponsible’

By MYBRANDBOOK

After being called "grossly irresponsible" by Tenable’s CEO, Microsoft has fixed a security flaw in the Power Platform Custom Connectors feature that let unauthenticated attackers access cross-tenant applications and Azure customers' sensitive data.

The root cause of the issue stemmed from inadequate access control measures for Azure Function hosts launched by connectors within the Power Platform. These connectors use custom C# code integrated into a Microsoft-managed Azure Function featuring an HTTP trigger.

The API endpoints facilitated requests to the Azure Function without enforcing authentication, although customer interaction with custom connectors usually happens via authenticated APIs. This created an opportunity for attackers to exploit unsecured Azure Function hosts and intercept OAuth client IDs and secrets.

"It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have further impact," says Tenable.

Tenable discovered the flaw and reported it on March 30th.

"However, because of the nature of the service, the impact would vary for each individual connector, and would be difficult to quantify without exhaustive testing,” it further added.

"To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank. They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft," Tenable CEO Amit Yoran explained.

Tenable also shared proof of concept exploit code and information on the steps required to find vulnerable connector hostnames and how to craft the POST requests to interact with the unsecured API endpoints.

Microsoft resolved the issue for all customers on August 2nd after an initial fix deployed by Redmond on June 7th was tagged by Tenable as incomplete.

"This issue has been fully addressed for all customers and no customer remediation action is required," Microsoft said.

BREAKING NEWS

Cisco announces AI-native secure Wi-Fi 7 for future-ready employe...

Announcing a major leap in wireless technology, Cisco has launched its Wi...

The BSE benchmark Sensex tumbled over 800 points, leaving investo...

The BSE benchmark Sensex recently experienced a significant drop, tumblin...

North Korean GPS Interference Disrupts Air Traffic...

South Korea's military has publicly accused North Korea of disrupting GP...

US ordered TSMC to halt chip shipments to China...

TSMC has had regular discussions with the government on export control issu...

TECHNO TRENDS

Nazara and ONDC set to transform in-game monetization with ‘

Nazara Technologies has teamed up with the Open Network for Digital Comme...

Jio Platforms and NICSI to offer cloud services to government

In a collaborative initiative, the National Informatics Centre Services In...

BSNL awards ₹5,000 Cr Project to RVNL-Led Consortium

A syndicate led by Rail Vikas Nigam Limited (abbreviated as RVNL), along wi...

Pinterest tracks users without consent, alleges complaint

A recent complaint alleges that Pinterest, the popular image-sharing platf...

E-Magazine

TECHNOTAINMENT

Eloelo teams up with Elvish Yadav for India's biggest digital

Netflix adds 'Moments' feature for saving, sharing scenes from

Netflix has introduced a new “Moments” feature on its mobile app, whic

Jacqueline Fernandez come together with YouTuber Mr. Beast for

Jacqueline Fernandez has partnered with American YouTuber Mr. Beast to b

MOVERS & SHAKERS

Kamal Nath quits SIFY Technologies

Visa elevates Rishi Chhabra as new Country Manager for India

Rishi holds a Master’s in Industrial Engineering from The Ohio State Univ

Genesys welcomes Albert Nel as Senior VP and Regional Sales Le

Genesys continues to deepen its investment in the APAC region. Earlier this

OPEN YOUR EYES

Payment industry is eyeing Asia as attractive for V.C. investors amid COVID-19

How Work From Home Brings Various Security Challenges

Digital economy is at risk with the growing cyber attacks

The rising risk of insider threats in the remote workforce

Chinese Investments targets start-ups to scale up in India

INTERVIEWS

Delivering Critical Business Communication Solutions to Enterp

Cisco building a trusted and resilient future for the nation

Security is foundational to everything Cisco does and customers insist on e

Alcatel-Lucent Enterprise Carrying a 100 year legacy ahead

A good amount of R&D works and global support services are operated out of

HOT PICK

BOULT unveils AmpVault V10 & V20 powerbanks: Fast charging, sa

SonicWall Launches TZ80: A Powerful Solution for Remote Office

SonicWall announced today the launch of the TZ80, a groundbreaking securit

Gigabyte X3D Turbo: A Gaming Revolution

GIGABYTE X3D Turbo Mode is a cutting-edge feature that unifies cores distr

MAKE IN INDIA BRANDS

TALLY SOLUTIONS PVT. LTD.

BHARAT ELECTRONICS LTD.

DIGISOL SYSTEMS LTD.

SECUREYE SERVICES PVT. LTD.

EMINENT CIO'S OF INDIA

AI TO IMPROVE INSIGHTS THROUGH AUGMENTED ANALYTICS, WHILE EDGE COMPUTING TO ALLOW REAL-TIME PROCESSING

For the fiscal year 2024-25, our organization has ...

GAINING CUSTOMERS’ TRUST IS ESSENTIAL FOR SMOOTH OMNICHANNEL INTERACTIONS

In the fiscal year 2024-25, our organization has i...

AI AND DATA ANALYTICS REVOLUTIONIZING HEALTHCARE SERVICES

...

ICONS OF INDIA

Icons Of India : NIKHIL RATHI

Co-founder & CEO of Web Werks, a global leader in Data Centers and Clo...

Icons Of India : NATARAJAN CHANDRASEKARAN

Natarajan Chandrasekaran (Chandra) is the Chairman of Tata Sons, the h...

Icons Of India : Daisy Chittilapilly

Daisy Chittilapilly is the President of Cisco’s India and SAARC regi...

PARTNER SPEAKERS

Innovation, Technology and Partnerships Continue To Be The Cornerstone Of Growth

IT distribution is undergoing a significant transformation. As technology evol...

Ensuring Mutual Success By Aligning Partner's Needs

The IT industry is one of the most dynamic industries. Here, not only does the...

PASS Audit – The differentiating facet

Futurenet Technologies collects feedback from customers, vendors and social me...

PSU

BEL - Bharat Electronics Limited

BEL is an Indian Government-owned aerospace and defence electronics co...

ITI - ITI Limited

ITI Limited is a leading provider of telecommunications equipment, sol...

RailTel Corporation of India Limited

RailTel is a leading telecommunications infrastructure provider in Ind...

VIDEOS

Top 25 Brands

Most Trusted Brands 2024: GOOGLE

Google has a long history of technological innovation across various domains, ...

Most Trusted Brands 2024 : Ingram Micro India

Ingram Micro India’s strong brand connection is built on its distribution ne...

Most Trusted Brands 2024 : Intel Corporation

Intel Corporation continually pushes the boundaries of processor performance, ...

Global Indian industry

Indian Tech Talent Excelling The Tech World - NIKESH ARORA, Chairman CEO - Palo Alto Networks

Nikesh Arora, the Chairman and CEO of Palo Alto Networks, is steering ...

Indian Tech Talent Excelling The Tech World - JAYASHREE ULLAL, President and CEO - Arista Network

Jayshree V. Ullal is a British-American billionaire businesswoman, ser...

Indian Tech Talent Excelling The Tech World - George Kurian, CEO, Netapp

George Kurian, the CEO of global data storage and management services ...

STARNITE AWARDS 2024

ITFORUM 2024

CMO of the Year

WOMEN LEADERSHIP

IMAGE GALLERY

TRENDS IN TECHNOLOGY