As described in the Azure
Functions documentation, Azure Functions let you use keys to make it harder to access your HTTP function endpoints during
development.
While keys provide a default security mechanism, distributing them in public apps is a bad practice and can lead to security and maintainability
issues.
What is the potential impact?
The impact of this access depends on what the Azure Function does and what permissions the key has.
There are three types of keys that can be used to authenticate requests to an Azure Function:
- Function key: Provides access to a specific function.
- Host key: Provides access to all functions within a function app.
- System key: Provides access to all functions within a function app and allows for administrative actions.
Leaking these keys can result in unintended access to the functions and data they control.
Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the key.
Compromise of sensitive data
If the affected service is used to store or process personally identifiable information or other sensitive data, attackers knowing an
authentication secret could be able to access it. Depending on the type of data that is compromised, it could lead to privacy violations, identity
theft, financial loss, or other negative outcomes.
In most cases, a company suffering a sensitive data compromise will face a reputational loss when the security issue is publicly disclosed.
Modification of application data
Applications may rely on data that cannot be distributed with the application code. This may be due to the size of the data, or because the data is
regularly updated. This data is downloaded by the application as it is needed.
If an attacker can gain access to an authentication secret, they may be able to alter or delete this application data. This may cause parts of the
application to misbehave or stop working. Maliciously altered data could also contain undesirable content which results in reputational damage.
Financial loss
Financial losses can occur when a secret is used to access a paid third-party-provided service and is disclosed as part of the source code of
client applications. Having the secret, each user of the application will be able to use it without limit to use the third party service to their own
need, including in a way that was not expected.
This additional use of the secret will lead to added costs with the service provider.
Moreover, when rate or volume limiting is set up on the provider side, this additional use can prevent the regular operation of the affected
application. This might result in a partial denial of service for all the application’s users.
