A cross-account database vulnerability in Azure PostgreSQL

$40k bounty for complete read access to any customer database using the &quot;public&quot; networking access.<p>Caused by a bad regexp in the authentication mechanism acting as the first security layer, and lack of network-level inter-tenant isolation as a second layer of security.

Wasn&#x27;t Wiz CEO previous job leading Microsoft Israel RnD? After his previous cyber security startup (Adallom) was aquired by Microsoft? Azure security stance was under his supervision [0].<p>Kind of ironic that his new security startup uncovers his failings at his old job...<p>[0] <a href="https:&#x2F;&#x2F;en.globes.co.il&#x2F;en&#x2F;article-microsoft-names-assaf-rappaport-head-of-israel-rd-1001220217" rel="nofollow">https:&#x2F;&#x2F;en.globes.co.il&#x2F;en&#x2F;article-microsoft-names-assaf-rap...</a>

Are current security monitoring systems - and I suppose a company like MS would be using state-of-the-art - not yet capable of detecting such anomalous behavior? A user gained root access, tried to access another internal IP address, tested multiple ports. I assume all these get logged at the kernel &#x2F; hypervisor &#x2F; firewall level...

Wow after the same researchers discovered something similar in Cosmos DB last year. Unreal that Azure is used by anyone

Azure seems to be shaping up to be a security joke, there&#x27;s been a concerning number of cross-account exploits in the last couple of years.<p>AWS isn&#x27;t perfect, but you really don&#x27;t see many exploits on this scale. What is Microsoft doing wrong here?

When Flexible Server was first announced, I’m sure I remember them stating it’ll use Private (VNet) networking by default. Seems strange they’ve changed tact there.<p>Either way, we migrated to Flexible Server on day one of GA purely for the performance benefits (Linux) over Single Server (Windows). While there has been some painful moments, also around High Availability, the service has been a huge leap forward.