Full Disclosure: A Third (and Fourth) Azure Sign-In Log Bypass Found
nyxgeek
86 points
15 comments
March 20, 2026
Related Discussions
Found 5 related stories in 50.4ms across 3,471 title embeddings via pgvector HNSW
- Decisions that eroded trust in Azure – by a former Azure Core engineer axelriet · 562 pts · April 02, 2026 · 58% similar
- Post-mortem of the EU Europa breach: A masterclass in IAM misconfiguration D__S · 11 pts · April 02, 2026 · 51% similar
- CVE-2026-3888: Important Snap Flaw Enables Local Privilege Escalation to Root askl · 118 pts · March 18, 2026 · 49% similar
- 1B identity records exposed in ID verification data leak robtherobber · 215 pts · March 12, 2026 · 48% similar
- GitHub Accounts Compromised 6mile · 13 pts · March 11, 2026 · 47% similar
Discussion Highlights (8 comments)
throwoutway
Yesterday ProPublica and ArsTechnica published a takedown of Azure: "Federal cyber experts called Microsoft’s cloud a “pile of shit,” approved it anyway" ... https://arstechnica.com/information-technology/2026/03/feder...
ronbenton
Bypassing logging feels relatively unimportant compared to some of the recent EntraID vulns we’ve seen
kjellsbells
Puts me in mind of this scathing report from CISA on how a state-sponsored group broke into Microsoft and then into the State Department and a bunch of other agencies. Reads like a heist movie. https://www.cisa.gov/sites/default/files/2024-03/CSRB%20Revi... What I found most incredible about the story is that it wasn't Microsoft who found the intrusion. It was some sysadmin at State who saw that some mail logs did not look right and investigated.
deathanatos
IIRC, (& I don't remember if I reported it), but Azure's audit logs don't reflect reality when you delete a client secret from the UI, either. If I remember the issue right, we lost a client secret (it just vanished!) and I went to the audit logs to see who dun it. According to the logs, I had done it. And yet, I also knew that I had not done it. I eventually reconstructed the bug to an old page load. I had the page loaded when there were just secrets "A" & "B". When I then clicked the delete icon for "B", Azure deleted secrets "B" and "C" … which had been added since the page load. Essentially, the UI said "delete this row" but the API was "set the set of secrets to {A}". The audit log then logged the API "correctly" in the sense of, yes, my credentials did execute that API call, I suppose, but utterly incorrectly in the sense of any reasonable real-world view as to what I had done. Thankfully we got it sorted, but it sort of shook my faith in Azure's logs in particular, and a little bit of audit logs in general . You have to make sure you've actually audited what the human did . Or, conversely, if you're trying to reason with audit logs, … you'd best understand how they were generated. I don't think I would ever accept audit logs in court, if I were on a jury. Audit logs being hot lies is within reasonable doubt.
strbean
Maybe I can use one of these to get in to my organization azure account from my alma mater. The email was deleted right after I graduated, but Microsoft has been trying to bill me (for a reserved IP or something) for close to a decade. Support is useless of course.
fuckinpuppers
It is shocking how absolutely garbage azure is.
epistasis
There's a big tradeoff here though: IT admins really love buying Microsoft. And when the dog tries to complain about the dogfood, the dogfood purchaser tends to not understand very well.
dfedbeef
> It's not often that you see a demo of an actual Azure vulnerability, as they get patched and are gone forever. However, because Microsoft was having trouble replicating this complicated bypass, and asked for a video, I come bearing receipts. Absolutely savage lol [If you didn't read the thing, it's one curl command.]