Does the $3000 (USD?) bounty seem low to anyone else? Prior to reading the timeline section at the bottom of the post I would have guessed a range of 25k to 50k as a bounty for such a severe vulnerability.
Yeah. It seems low to me. The team writing the auth code is probably paid a fortune comparatively. It’s also surprising to see MS has mistakes like that in the auth flow. I know it’s a combo, but still, damn!
I don’t know enough about dev.azure.com, but if they could do more than read info, like spin up VMs, then $3k is an insulting joke. Doubly so if there are credit cards attached to those accounts. The idea of someone spinning up resources on my Azure account gives me nightmares.
It’s also worth noting the combo here is really nasty because DNS takeover means you could send phishing emails from a legit sub domain.
What’s the damage to MS if someone nefarious had found that and launched a huge phishing campaign?
It's highly recommended to not allow wildcards in the redirect_to values within OAuth2 for that reason: It's just too easy to create flaws like this one. Additionally on https://docs.microsoft.com/en-us/azure/active-directory/deve..., Microsoft itself recommends to avoid them: "Wildcard URIs, such as https://*.contoso.com, are convenient but should be avoided. Using wildcards in the redirect URI has security implications."
"We found that we could exchange the stolen authentication token for a Bearer token through app.vsaex.visualstudio.com"
For me this exchange should always require an additional secret they should not have access to (exception would be for an app where securing the secret is not trivial, but not the case here I believe).
That’s why I said I was surprised. I just can’t understand how anyone, let alone what I assume is a team, could write auth code without reading the spec to see what every parameter does. Even if you weren’t paying attention I feel like you shouldn’t miss that one, right?
Is that full stack overflow development where some one is copying and pasting things they don’t understand?
The recommendation is ignoring the reality of the world. How can developers handle authentication when authentication is not allowed on their company domains?
Measures like filtering/whitelisting are always pushed back in my experience because it's legitimately preventing developers to support authentication.
>>> It’s also surprising to see MS has mistakes like that in the auth flow.
Having worked on authentication code across companies, this is really the typical kind of mistakes one sees. Nothing special to MS.
It's not even a simple stupid bug, like allowing open redirections. There was some checks on domain and an abandoned whitelisted domain that could be acquired by a new user.
Yes, it's way too low. Seeing companies cheapen out on bug bounties makes me feel less secure about them. It shows that they don't believe in the importance of security, provides less incentives for ethical hackers to find security issues and it means that less ethical hackers will be that much more tempted to use vulnerabilities they've found unethically.
Don't know the range of their bounty program but seems like this exploit is circumstantial on finding a subdomain which was left hanging. Once they registered that subdomain on their own account, this exploit seizes to be effective by third parties so reproducibility is minimal (subdomain can be registered once). Unless you plan to sell the exploit once to one client or just re-use it once at a time by selling access to it (too much trouble, centralized risk).
This attack could have been used to gain access to any Azure account.
If you knew that Microsoft would pay you a couple thousand for this and the black market would offer hundreds of thousands of dollars. It could influence a decision to not report the vulnerability to the developer.
I don't see how your explanation shows Microsoft creating the incentive. Your argument seems to amount to "Microsoft is not creating a sufficient disincentive." The problem with creating a sufficient disincentive is that you draw a lot of attention and still run the risk of being outbid when a vulnerability is discovered.
I often see Imposter Syndrome being discussed on HN and in other software development circles. While I have yet to face the feeling of being an imposter; this particular quote from the article strikes a bit of a nerve,
"Sturgeon’s law says “ninety percent of everything is crap”. I’ve found this to be true of developers. Nine out of ten developers are not just bad but incompetent."
I'm not a mathematician, but if this statement is true, chances are I am an awful developer. Knowing this, how do I and others proceed? Can we be useful on a team?
I am reminded of the addage "If you run into an asshole in the morning, you ran into an asshole. If you run into assholes all day, you're the asshole." I suspect the author is has systemic problems working with others. I think if someone is earnestly doing their best to improve their skills, a true professional will accord them the respect they deserve.
I think my estimate was a little on the high side. I've tempered my opinion since then (and I've edited that part out of the post). I don't think 9 out of 10 developers are incompetent.
