{"id":2714,"date":"2025-09-07T23:52:08","date_gmt":"2025-09-07T23:52:08","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/09\/07\/azure-ad-credentials-exposed-in-public-app-settings-file\/"},"modified":"2025-09-07T23:52:08","modified_gmt":"2025-09-07T23:52:08","slug":"azure-ad-credentials-exposed-in-public-app-settings-file","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/09\/07\/azure-ad-credentials-exposed-in-public-app-settings-file\/","title":{"rendered":"Azure AD Credentials Exposed in Public App Settings File"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-6d862a82-364b-458e-b130-18fa7195dd7b\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A cybersecurity assessment has uncovered a serious vulnerability involving Azure Active Directory (Azure AD).<\/p>\n<p>Resecurity\u2019s HUNTER Team discovered that application credentials, specifically the ClientId and ClientSecret, were left exposed in a publicly accessible appsettings.json file.<\/p>\n<h2>A Direct Path to Compromise<\/h2>\n<p>These credentials allow direct authentication against Microsoft\u2019s OAuth 2.0 endpoints. In practice, this\u00a0means an attacker could impersonate the trusted application and access sensitive Microsoft 365 resources.<\/p>\n<p>Depending on the permissions granted to the compromised app, attackers might:<\/p>\n<ul>\n<li>\n<p>Retrieve files and emails from SharePoint, OneDrive or Exchange Online<\/p>\n<\/li>\n<li>\n<p>Enumerate users, groups and directory roles in Azure AD<\/p>\n<\/li>\n<li>\n<p>Abuse the Microsoft Graph API to escalate privileges or maintain persistence<\/p>\n<\/li>\n<li>\n<p>Deploy malicious applications under the organization\u2019s tenant<\/p>\n<\/li>\n<\/ul>\n<p>Because the file was publicly available, the credentials could be harvested by both automated bots and sophisticated adversaries.<\/p>\n<h2>Why Misconfigurations Lead to Leaks<\/h2>\n<p>The researchers attributed\u00a0this issue to common cloud misconfigurations.<\/p>\n<p>Developers often embed secrets directly into configuration files like appsettings.json. The risk emerges when these files are accidentally pushed into production environments without proper restrictions.<\/p>\n<p>Problems typically stem from:<\/p>\n<ul>\n<li>\n<p>Misconfigured servers that expose static files<\/p>\n<\/li>\n<li>\n<p>Poor deployment practices that don\u2019t secure configuration data<\/p>\n<\/li>\n<li>\n<p>Lack of secrets management tools like Azure Key Vault<\/p>\n<\/li>\n<li>\n<p>Minimal security testing and code reviews<\/p>\n<\/li>\n<li>\n<p>A reliance on obscurity instead of actual protection mechanisms<\/p>\n<\/li>\n<\/ul>\n<p><em>Read more on cloud misconfigurations: Understanding Cloud Misconfiguration: Causes, Corrections, and Prevention<\/em><\/p>\n<p>In ASP.NET Core applications, appsettings.json is a central configuration file. It usually stores database connection strings, API keys and cloud service credentials. When Azure AD details, such as ClientId, TenantId and ClientSecret, are included, the file becomes a blueprint not just for how the application runs, but also for how attackers might break in.<\/p>\n<h2>Mitigation and Lessons Learned<\/h2>\n<p>Resecurity researchers warned that exposing secrets in this way is not a harmless oversight but a direct attack vector.<\/p>\n<p>\u201cPut simply, exposing appsettings.json with Azure AD secrets is not just a misconfiguration; it\u2019s an attack vector that directly hands adversaries the keys to the cloud,\u201d\u00a0the team explained.<\/p>\n<p>\u201cThis is not just a misconfiguration \u2013 it\u2019s a cloud compromise waiting to happen. Organizations must realize that cloud security is only as strong as its weakest exposed file.\u201d<\/p>\n<p>Mitigation requires immediate action. Administrators are advised to\u00a0restrict public access to configuration files, remove hardcoded secrets, rotate compromised credentials, enforce least-privilege access and monitor for abnormal credential use.<\/p>\n<\/p><\/div>\n<p>Image\u00a0credit: jackpress \/ Shutterstock.com<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A cybersecurity assessment has uncovered a serious vulnerability involving Azure Active Directory (Azure AD). Resecurity\u2019s HUNTER Team discovered that application credentials, specifically the ClientId and ClientSecret, were left exposed in a publicly accessible appsettings.json file. A Direct Path to Compromise These credentials allow direct authentication against Microsoft\u2019s OAuth 2.0 endpoints. In practice, this\u00a0means an attacker<\/p>\n","protected":false},"author":2,"featured_media":2715,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2714","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2714-10873713-cb8b-4443-a978-83bbf0bf0c7d.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2714-10873713-cb8b-4443-a978-83bbf0bf0c7d-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2714-10873713-cb8b-4443-a978-83bbf0bf0c7d.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2714-10873713-cb8b-4443-a978-83bbf0bf0c7d.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2714-10873713-cb8b-4443-a978-83bbf0bf0c7d.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2714-10873713-cb8b-4443-a978-83bbf0bf0c7d.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2714-10873713-cb8b-4443-a978-83bbf0bf0c7d.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2714-10873713-cb8b-4443-a978-83bbf0bf0c7d.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2714-10873713-cb8b-4443-a978-83bbf0bf0c7d.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2714-10873713-cb8b-4443-a978-83bbf0bf0c7d.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2714-10873713-cb8b-4443-a978-83bbf0bf0c7d-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2714","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2714"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2714\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2715"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2714"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2714"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2714"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}