Coincidentally, today I noticed a surprisingly high number of file accesses from Tenable's Nessus software, caused by it reading a megabyte-sized config file one character at a time without buffering, each going through Win32's ReadFile.<p>It seems that negligence is not in short supply.
This is generally my impression of anything Microsoft. O365, Azure, AAD, Teams, logging needing extra support levels, patching on Windows, how CVEs aren't CVEs, how they won't implement secure defaults, etc.<p>Mind you my opinion is easily permanently soured on far cooler engineering things (like Cloudflare) for them hosting doxxing things... as much as I like the engineering... if you refuse to keep people safe why would I take the risk to use your infrastructure?
Well, I am glad someone is doing research in this area. Powerapps are one of those things I hope I never have to deal with in a security incident. The logging and access control is messy but the underlying implementation uses normal azuread authentiation/access control.<p>Let's say a random user creates an app to measure something for their team, store it in sharepoint and update the avatar or some other property of users stored in azuread. Because of that latter part, the powerapp might (!) have requested and been granted directory.readwrite.all which means it can do anything at all including making itself or whoever can somehow control it and abuse it global admin, controlling the whole tenant.<p>A lot of this stuff is for business customers only, I suspect that's why you see little research or random threat actors abusing these types of features (until they're not random anymore).
This was brought to Microsoft's attention by Tenable well before the Tenable CEO decided to make a public statement about it.<p>I have a relative that works for them doingnthe CyberSec thing who had talked about this a few weeks ago.
It's bizarre how the author refers to Microsoft as "Redmond" repeatedly.<p>> Redmond has since notified all impacted customers through the Microsoft 365 Admin Center starting August 4th.<p>> initial fix deployed by Redmond on June 7th was tagged by Tenable as incomplete<p>> To make matters even worse, Redmond's initial commitment to fixing the issue...