Azure Account Takeover Worth $11,756

3 min readMay 6


Dangling DNS zone a danger for cloud security

Security researchers have earned a $11,756 bug bounty after discovering a mechanism to takeover Microsoft Azure DevOps accounts using just one click.

Sean Yeoh, engineering lead at Assetnote, a platform for continuous security monitoring, writes that his team uncovered the problem after first discovering that the subdomain was vulnerable to an Azure Zone DNS takeover.

The security weakness — identified through automated scanning — was found in what is known technically as a “dangling DNS zone”, opening the door to exploitation.

“The NS [Name Server] records for were pointing to Azure DNS, however they were no longer registered on Azure DNS,” Yeoh explains in a technical write up.

“As the lookups were being refused, we were able to to register the subdomain under an Azure account that we owned. By doing so, we were able to create arbitrary DNS records for the subdomain”

Hacking the authentication flow

After overwriting the DNS records for the domain, Yeoh and his colleagues began exploring the impact of this hack. This turned out to be quite considerable as there were subdomains underneath that facilitated an authentication flow through

Worse yet, this path wasn’t tied down and so any domain under * could receive authentication tokens.

The combined security weaknesses created a mechanism for hackers to steal authentication tokens before abusing these credentials to gain deeper access.

“We found that we could exchange the stolen authentication token for a Bearer token through,” Yeoh explains. “This Bearer token could then be used to authenticate to, and”

Read more of the latest cloud security news

The researchers were able to ultimately abuse the compromised tokens on to access resources.

“A malicious attacker could perform a one click drive attack on an unsuspecting user by directing them to a URL that would result in their tokens being disclosed,” Yeoh explains.

“From this point, the attacker would have full control over the user’s Azure DevOps account,” he added.

The fundamental security weakness in DNS record setups exposed by the security researchers also created a means to change MX records in order to capture emails.

The possibility of capturing emails in itself opened up the possibility of obtaining rogue SSL certificates.

Fortunately, the problem was addressed by Microsoft Azure just a couple of days after it was reported. Assetnote earned a $11,756 bounty for its research.

Kicks on Route53

In response to questions from The Daily Swig, Assetnote said it had discovered vulnerabilities of the same type in many organizations.

“We’ve found dangling zone takeovers for a lot of large companies, especially when they are using Route53,” it explained.

Such takeovers can often be escalated so that it’s possible to register SSL certs and receive email, as in the Azure case. The latest case therefore offers plenty of generally applicable lessons.

Assetnote advised: “Clean up your DNS records frequently, ensure there is a change control process that ensures you delete your DNS records first before deleting the hosted zone on your cloud provider. Scan for hosted zone takeovers frequently on your attack surface.”

The Daily Swig also approached Microsoft for comment. We’ll update this story as and when more information comes to hand.




Network Security Researcher I Content writer I Blog writer