Microsoft has provided the following comments for researchers who wish to conduct similar research in the future:
- Using tokens or credentials to access data that is not your own is a violation of Microsoft Azure Bounty Rules of Engagement.
- Future researchers may simply report a suspected overly-permissive SAS token to the bounty program without using the Azure Storage Explorer tool to verify the validity of the token. The Microsoft Security Response Center will perform necessary investigations to determine the impact and scope of the reported token on behalf of the submitter.
Unlike the WinGet manifest InstallerUrl hijack, this technique presents a more impactful method for conducting a supply chain attack by modifying the PC Manager releases from the official website pcmanager.microsoft.com.
This is compounded by the fact that in certain releases of PC Manager, auto updates are enabled by default. Therefore, an attacker’s malicious executable could potentially masquerade as an executable that would be propagated to every single installation of PC Manager, given its default configuration is unchanged.
However, it is important to note that the MSI…
