Azure AD Credentials Leaked in Public App Settings
▼ Summary
– A cybersecurity team discovered a serious Azure AD vulnerability due to exposed application credentials in a publicly accessible appsettings.json file.
– These credentials allow attackers to impersonate trusted applications and access sensitive Microsoft 365 resources like SharePoint, OneDrive, and Azure AD data.
– The exposure resulted from common cloud misconfigurations, including improper server settings, poor deployment practices, and lack of secrets management tools.
– Researchers emphasized that this is not just a misconfiguration but a direct attack vector that hands adversaries access to cloud resources.
– Mitigation requires restricting file access, removing hardcoded secrets, rotating credentials, enforcing least-privilege access, and monitoring for abnormal use.
A recent cybersecurity investigation has revealed a critical vulnerability tied to Azure Active Directory (Azure AD) credentials being inadvertently exposed in public-facing configuration files. The discovery, made by Resecurity’s HUNTER Team, highlights how sensitive authentication details, specifically the ClientId and ClientSecret, were left openly accessible within an appsettings.json file, creating a direct pathway for potential exploitation.
This type of exposure grants attackers the ability to authenticate directly through Microsoft’s OAuth 2.0 endpoints. By doing so, malicious actors could effectively impersonate a trusted application and gain unauthorized entry into sensitive Microsoft 365 environments. The implications are severe: depending on the permissions assigned to the compromised application, intruders might access confidential emails and documents from SharePoint, OneDrive, or Exchange Online. They could also enumerate user accounts, groups, and directory roles within Azure AD, exploit the Microsoft Graph API to escalate privileges or maintain persistence, and even deploy harmful applications under the organization’s tenant.
Because the file was publicly available, these credentials were vulnerable to harvesting not only by automated scanning tools but also by targeted attacks from advanced threat actors.
This type of security lapse often stems from widespread cloud misconfiguration practices. Developers frequently embed secrets directly into configuration files such as appsettings.json, and the danger amplifies when these files are mistakenly deployed into production without adequate access controls. Common contributing factors include improperly configured servers that inadvertently expose static files, flawed deployment processes that fail to protect configuration data, and an absence of dedicated secrets management solutions like Azure Key Vault. Additional risks arise from insufficient security testing, limited code review practices, and an overreliance on security through obscurity rather than robust protective measures.
In ASP.NET Core applications, the appsettings.json file serves as a central repository for configuration parameters, often containing database connection strings, API keys, and cloud service credentials. When Azure AD details such as ClientId, TenantId, and ClientSecret are stored there, the file effectively becomes a roadmap not only for application functionality but also for potential intrusion by adversaries.
Resecurity researchers emphasized that such exposures should not be dismissed as minor oversights. Instead, they represent a clear and present danger. Exposing appsettings.json with Azure AD secrets constitutes a direct attack vector, effectively handing malicious actors the keys to an organization’s cloud infrastructure. This is not a simple misconfiguration, it is a pending cloud compromise.
To mitigate these risks, immediate action is required. Organizations should restrict public access to configuration files, eliminate hardcoded secrets, rotate any credentials that may have been exposed, enforce the principle of least privilege, and implement continuous monitoring for unusual credential activity.
(Source: InfoSecurity Magazine)