A security flaw on the Azure App Service, named NotLegit, has emerged. The Azure App Service is used for deploying source codes from Git repositories that can either be local or hosted on Github and Bitbucket. The NotLegit flaw is said to be around for at least four years, exposing the .git files to the public.
Wiz noticed on October 7
With the NotLegit flaw, the source codes of applications that have been written in PHP, Node, Phyton, Ruby, and Java have been exposed. The security firm Wiz has warned Microsoft about the flaw on October 7. By the time Microsoft fixes the flaw, Wiz has shared its details. According to the researchers of Wiz, the conditions of the exposed source codes are:
- All PHP, Node, Ruby, and Python applications that were deployed using “Local Git” on a clean default application in Azure App Service since September 2017.
- All PHP, Node, Ruby, and Python applications, deployed in Azure App Service from September 2017 onward using any Git source, after a file was created or modified in the application container.
You can read the full documentation here.
As the test result with a brand-new dummy, purposedly created Azure App Service application, several attackers tried to reach the Git files in just four days. That this flaw was actively being searched and used by the attackers. Microsoft has warned its customers about the flaw, after fixing it.