Risk Level: High
Description
The plugin will check if the user has enabled anonymous access sets or subsets for the blobs within the container. The access will allow people to anonymously access the blob files of your container.
About the Service
Storage Accounts: An azure storage account is used to store the customer’s data objects such as files, queues, shares, etc. The storage accounts ensure high availability for the clients and allot a unique namespace for the storage data and are accessible from anywhere around the world using HTTP or HTTPS protocols.
Impact
In case the access level is not set to private, anyone from the internet can anonymously access the blobs in the container primarily leading to breach in confidentiality and disclosure of sensitive information.
Steps to Reproduce
- Log in to the Azure portal.
- Click on Storage accounts for Services.
- Select any one of the provided accounts to check for the issue.
- From the navigation bar, select Static website from Data Management.
- Click on the URL given on the screen under the Static website.
- If the access level is set to Blob (anonymous read access) or Blob and container anonymous read access, then go to the Steps for remediation section.
- Repeat for other containers with static websites as well.
Steps for Remediation
- Log in to the Azure portal.
- Click on Storage accounts for Services.
- Select any one of the provided accounts to remediate the issue.
- From the navigation bar, select Static website from Data Management.
- From the navigation panel at top go to Change access level.
- If the access level is set to Blob (anonymous read access) or Blob and container anonymous read access, then click on the drop-down menu and set the value to Private (No anonymous access). Click on OK.
- Repeat for other containers as well.
Please feel free to reach out to support@pingsafe.com with any questions that you may have.
Thanks
PingSafe Support