You can't be serious right? I don't even know where to start.
Because if your product has critical security vulnerabilities or design flaws, you won't be in business very long? Or look at it this way, your product will put the Security of others at risk?
If this isn't a joke comment, I'd remove your job title from it.
It has to be a joke. The comment lacks the playful tell of good sarcasm, but nobody with half a brain would ever say something seriously in that manner.
Coincidentally, today I noticed a surprisingly high number of file accesses from Tenable's Nessus software, caused by it reading a megabyte-sized config file one character at a time without buffering, each going through Win32's ReadFile.
This is generally my impression of anything Microsoft. O365, Azure, AAD, Teams, logging needing extra support levels, patching on Windows, how CVEs aren't CVEs, how they won't implement secure defaults, etc.
Mind you my opinion is easily permanently soured on far cooler engineering things (like Cloudflare) for them hosting doxxing things... as much as I like the engineering... if you refuse to keep people safe why would I take the risk to use your infrastructure?
Well, I am glad someone is doing research in this area. Powerapps are one of those things I hope I never have to deal with in a security incident. The logging and access control is messy but the underlying implementation uses normal azuread authentiation/access control.
Let's say a random user creates an app to measure something for their team, store it in sharepoint and update the avatar or some other property of users stored in azuread. Because of that latter part, the powerapp might (!) have requested and been granted directory.readwrite.all which means it can do anything at all including making itself or whoever can somehow control it and abuse it global admin, controlling the whole tenant.
A lot of this stuff is for business customers only, I suspect that's why you see little research or random threat actors abusing these types of features (until they're not random anymore).
21 comments
[ 171 ms ] story [ 153 ms ] threadBecause if your product has critical security vulnerabilities or design flaws, you won't be in business very long? Or look at it this way, your product will put the Security of others at risk?
If this isn't a joke comment, I'd remove your job title from it.
As Microsofts head of product strategy, I raise you this: If you're so concerned about security, just get an antivirus
I have a relative that works for them doingnthe CyberSec thing who had talked about this a few weeks ago.
Maybe they need an Azure SP3 moment?
It seems that negligence is not in short supply.
Mind you my opinion is easily permanently soured on far cooler engineering things (like Cloudflare) for them hosting doxxing things... as much as I like the engineering... if you refuse to keep people safe why would I take the risk to use your infrastructure?
Let's say a random user creates an app to measure something for their team, store it in sharepoint and update the avatar or some other property of users stored in azuread. Because of that latter part, the powerapp might (!) have requested and been granted directory.readwrite.all which means it can do anything at all including making itself or whoever can somehow control it and abuse it global admin, controlling the whole tenant.
A lot of this stuff is for business customers only, I suspect that's why you see little research or random threat actors abusing these types of features (until they're not random anymore).
> Redmond has since notified all impacted customers through the Microsoft 365 Admin Center starting August 4th.
> initial fix deployed by Redmond on June 7th was tagged by Tenable as incomplete
> To make matters even worse, Redmond's initial commitment to fixing the issue...
It's like how they call the US federal government "Washington".