fwd:cloudsec Europe 2025

Cloud Service Providers (CSPs) have grown, established and been widely adopted with time. This growth has had its own ramifications, consequences, and a significant influence on how modern systems are built. However, due to the speed at which these services are released for public use, security practices are often left behind. We will discuss how two aligned bad security practices lead to multiple scenarios where systems dependent on cloud resources can be compromised, ranging from dangling cloud resource takeovers, to supply chain attacks. From the perspective of the infamous shared responsibility model of security, bad security practices are not only related to end users but also are associated with CSPs themselves, leading to security implications for both ends.

This talk describes and details how, on the CSPs side, the usage of Universal DNS Zones and cloud credentials used in URL parameters turn out to be security nightmares. Universal DNS Zones refer to the design decision of CSPs of using common DNS zones for all customers without any distinction on who owns the resource. This leads to a set of security issues, that can be abused to perform cloud resource hijacking. The case for cloud credentials used in URL parameters focuses on Azure SAS token abuse scenarios. Even though these bad security practices are not a novel discovery, our investigation reveals new non-published scenarios covering a wide range of possible attacks.