Ddos 
Enumerating Users via Microsoft Graph | Image: Resecurity
Resecurity’s HUNTER Team uncovered a severe misconfiguration: sensitive Azure Active Directory (Azure AD) application credentials exposed in a publicly accessible appsettings.json file. As the report warns, “With these credentials, an attacker can authenticate directly against Microsoft’s OAuth 2.0 endpoints, effectively masquerading as the trusted application.”
The appsettings.json file is a cornerstone of ASP.NET Core applications, storing critical configurations such as database connection strings, API keys, and authentication details. But when this file is left exposed, attackers don’t just get a configuration blueprint — they get the actual secrets.
Resecurity highlights the gravity of this exposure: “Exposing appsettings.json with Azure AD secrets is not just a misconfiguration; it’s an attack vector that directly hands adversaries the keys to the cloud.”
Armed with leaked values like ClientId and ClientSecret, attackers can easily obtain valid OAuth 2.0 tokens. The report explains:
- “With the ClientId and ClientSecret exposed, an attacker essentially possesses the ‘username and password’ of the Azure AD application.”
- By sending a token request to Microsoft’s login endpoint, adversaries receive a Bearer access token that grants programmatic access to Microsoft Graph.
Once authenticated, attackers can:
- Enumerate users, groups, and directory roles via Graph API.
- Exfiltrate data from services like SharePoint, OneDrive, and Exchange Online.
- Deploy rogue applications within the tenant for persistence.
- Escalate privileges by exploiting over-permissioned roles.
The exposure typically arises from poor secrets management practices:
- Misconfigured servers serving static .json files publicly.
- Developers accidentally pushing internal config files into production.
- Lack of secret vaulting (e.g., Azure Key Vault, AWS Secrets Manager, HashiCorp Vault).
- Overreliance on obscurity: assuming “no one will find this file.”
Resecurity notes, “Attackers continuously crawl websites, use tools like dirsearch, and scan GitHub repos for exactly this type of leak.”
With a valid access token, attackers can impersonate the application itself — bypassing user MFA and normal sign-in alerts. This creates opportunities for:
- Cloud account compromise
- Persistence via OAuth permissions
- Supply chain exploitation, if the app is customer-facing
The report emphasizes: “What appears to be a harmless JSON configuration file can in reality act as a master key to an organization’s cloud kingdom.”
Resecurity recommends several immediate steps:
- Restrict file access – Ensure .json configs are never publicly accessible.
- Remove plaintext secrets – Use secure vaulting solutions instead of hardcoding.
- Rotate compromised credentials – Treat exposed ClientSecrets as already stolen.
- Apply least privilege – Avoid granting excessive scopes like Directory.Read.All.
- Monitor & alert – Enable Azure AD logging for unusual service principal activity.
Related Posts:
- 100 hacking organizations aimed at sabotaging the British economy and stealing government secrets
- Yemeni National Indicted for Black Kingdom Ransomware Attacks
- Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
