Major security bug: Account admin can access storage connection strings (even if he is not Admin)

Question

I tried to bring this to Microsoft's attention several times (using the feedback option in Azure Portal), but I never got an answer.

I was chocked the first time I discovered that a user, that is not listed in the Azure Portal's "User Management" has almost full access to the Portal.

When creating the Azure Subscription I used my "normal" Live Id, which I also use for MSN, MSDN etc.

For security reasons I wanted to isolate the users which have access to the Azure Portal to only 2 technical staff members, so I changed the Service Administrator to be a random@passport.com account, and also added a Co-Admin. Both these users are only used to Azure Portal, and even the e-mail we try to keep as a secret.

By accident I one day entered my "normal" live ID, and was chocked to find out that I could access the Portal. I can see all Hosted Services, storage accounts etc. If I click "View storage account keys" I get an Forbidden error, so I thought.. phew... it's read-only access. But then I click on a hosted service, and could see the entire storage connection string. And with this I can delete all our data.

You might say... just keep my "normal" live id secure. But the thing is, that if I loose my phone, that person can just ask for a password reset, and 1-2-3 he has access to "ALL" our data.

You might say... why don't you just change the Live Id to the Account Administrator. Well that is not possible, without contacting Microsoft.

Never the less. If this is by design, then the Account Admin needs to be listed in the "User Management" section in the Azure Portal (even if the bug with access to storage account is fixed). How am I to know this otherwise?

Another issue, is that session to the Azure Portal does not have a connection time out. I often come to the office in the morning, and find that I have full access to portal, because I didn't close my browser. The Billing portal has a session time out on 20 minutes (it's billing... how cares?)... the important thing is the Portal and our data.

MS: Pleas fix this!

Answer 1

Hi, I'm on the Windows Azure team. Can you please get in touch with me: baslam at microsoft dot com? I tried to reproduce the behavior you're seeing on my own subscription, but I couldn't. I need information like your LiveIDs to be able to see what's going on.

Answer 2

I seem to recall awhile back that there was a bug with how things were rendered if you logged in with different Live ID's. Its somehow still picking up the old Id's permissions.

Try clearing your cookies/cache and see if you are still seeing the same issue.

PS - Its monday morning and I'm still undercaffinated. So forgive me if my memory on this is off.

Answer 3

I've send a mail to you.

Answer 4

I tried using Google Chrome incognito (anonymous browsing) mode to access the portal, and I have the same issue... so I believe I can rule out cookies.