Cross-Tenant Token Leakage in Azure Automation

We discussed this vulnerability as part of our weekly podcast on 15 March 2022

Azure Automation would run an internal service serving JWTs that could be accessed across tenant boundaries.

Each time a tenant automation script would start an orchestrator service would also be started running on a random high port. This service could be used to request a JWT for the tenant. The problem was that as there was no additional authentication layer, any tenant could make requests to these services and obtain the JWT for other tenant.