A cybersecurity assessment has uncovered a serious vulnerability involving Azure Active Directory (Azure AD).
Resecurity’s HUNTER Team discovered that application credentials, specifically the ClientId and ClientSecret, were left exposed in a publicly accessible appsettings.json file.
A Direct Path to Compromise
These credentials allow direct authentication against Microsoft’s OAuth 2.0 endpoints. In practice, this means an attacker could impersonate the trusted application and access sensitive Microsoft 365 resources.
Depending on the permissions granted to the compromised app, attackers might:
-
Retrieve files and emails from SharePoint, OneDrive or Exchange Online
-
Enumerate users, groups and directory roles in Azure AD
-
Abuse the Microsoft Graph API to escalate privileges or maintain persistence
-
Deploy malicious applications under the organization’s tenant
Because the file was publicly available, the credentials could be harvested by both automated bots and sophisticated adversaries.
Why Misconfigurations Lead to Leaks
The researchers attributed this issue to common cloud misconfigurations.
Developers often embed secrets directly into configuration files like appsettings.json. The risk emerges when these files are accidentally pushed into production environments without proper restrictions.
Problems typically stem from:
-
Misconfigured servers that expose static files
-
Poor deployment practices that don’t secure configuration data
-
Lack of secrets management tools like Azure Key Vault
-
Minimal security testing and code reviews
-
A reliance on obscurity instead of actual protection mechanisms
Read more on cloud misconfigurations: Understanding Cloud Misconfiguration: Causes, Corrections, and Prevention
In ASP.NET Core applications, appsettings.json is a central configuration file. It usually stores database connection strings, API keys and cloud service credentials. When Azure AD details, such as ClientId, TenantId and ClientSecret, are included, the file becomes a blueprint not just for how the application runs, but also for how attackers might break in.
Mitigation and Lessons Learned
Resecurity researchers warned that exposing secrets in this way is not a harmless oversight but a direct attack vector.
“Put simply, exposing appsettings.json with Azure AD secrets is not just a misconfiguration; it’s an attack vector that directly hands adversaries the keys to the cloud,” the team explained.
“This is not just a misconfiguration – it’s a cloud compromise waiting to happen. Organizations must realize that cloud security is only as strong as its weakest exposed file.”
Mitigation requires immediate action. Administrators are advised to restrict public access to configuration files, remove hardcoded secrets, rotate compromised credentials, enforce least-privilege access and monitor for abnormal credential use.
Image credit: jackpress / Shutterstock.com
