Haha - whoever says Azure is totally fine unless people are too stupid to configure it might want to think again. Apparently, that shit is so difficult to configure securely that even Microsoft fails to do it: https://msrc-blog.microsoft.com/202...

and yet they had the audacity of getting mad at their shit being spilled out.

MS has never failed to surprise us.

Lesson learned: don't use Microsoft Azure ever.

Tbh it's pretty unprofessional for a security group to do what the post says SOCRadar did.

@RememberMe Given that Microsoft takes issue with the public release of a search tool, MS still seems to believe in "security through obscurity".

That in turn may be exactly why the group released that, because companies like MS usually don't give a shit unless thing blow up hot so that they have to get their ass up.

@Fast-Nop to me it reads more like an irresponsible disclosure of vulnerable data. If you read the points MS objects to, it's not that the group made the search tool, but that it was done improperly ("We recommend that any security company that wants to provide a similar tool follow basic measures to enable data protection and privacy").

It also appears that the researchers exaggerated the scope of the issue (and didn't respond to followup). Both these are entirely fair game to be pissed at. Just because a security group says something doesn't make it true, publishing of such fundings should be done with verification from the affected company.

Security groups are usually pretty responsible about such things (the legit ones, not hackers).

@RememberMe I wouldn't necessarily trust Microsoft to accurately respond because they have a conflict of interest in playing down anything bad with their booming cloud business.

For example, this here leaves slightly different impression of the situation: https://scmagazine.com/analysis/...

It also lets Microsoft's claims of erroneous attribution appear in another light. This is simply not true - it's that both sides have a different take on whether the data are in fact duplicates.

@Fast-Nop that's fair. I was going off the original post.

@RememberMe yeah that's a dangerous thing to do. Have seen that with Apple and Intel security issues too. Company's often downplay and try to award as little bug bounty as possible. Sometimes companies (especially MS has a history of this) takes such a long time that just releasing it to the public is the best option so at least it gets fixed instead of eventually silently exploited.

These companies have a whole marketing team involved.