Azure App Service’s Security Flaw ‘NotLegit’ Exposes Source Repository!

Microsoft always goes the extra mile to beef up its cybersecurity defenses. However, despite its continued efforts, the tech giant is stumbling over security vulnerabilities every now and then. ‘NotLegit’ is the latest addition to the exhaustive list of security bugs that have put Microsoft customers’ critical assets at hacking risk.

According to the cloud security vendor,, the first to raise the red flag on the security flaw, the NotLegit bug was identified in Microsoft’s Azure App Service.

The bug impacted Azure customers who deployed code to App Service Linux using Local Git after files were already created or modified in the content root directory.

“This happens because the system attempts to preserve the currently deployed files as part of repository contents and activates what is referred to as in-place deployments by deployment engine (Kudu),” informed Microsoft.


The NotLegit bug exposed the source code of PHP, Node, Python, Ruby, and Java applications. According to the Wiz researchers, the security flaw has been actively exploited in the wild by threat actors for the past four years.

Also Read: Two Major Companies Suffer Data Breach! Deets Inside!

“The vulnerability, which we dubbed as “NotLegit,” has existed since September 2017 and has probably been exploited in the wild,” stated the Wiz Research Team.

Hot on the heels of the flaw disclosure by Wiz, Microsoft fixed the flaw and notified the impacted customers with specific guidance on how to mitigate the issue.

“We have notified the limited subset of customers that we believe are at risk due to this, and we will continue to work with our customers on securing their applications,” the software giant said.

Microsoft said that it “updated all PHP images to disallow serving the .git folder as static content as a defense in depth measure.”

For the remaining languages, the software giant recommended the customers review the code to ensure that only the relevant code is served out.

Meanwhile, the Wiz Research Team directed Azure App Service users to ensure that the .git folder is not uploaded while deploying git repositories to webservers and storage buckets.

This recommendation prevents illegitimate access to the critical information stored in the .git folder, such as source code, developers’ emails, and other sensitive data.

Also Read: Cryptocurrency Heists, Ransomware Payments to Drop 30% by 2024!

Microsoft heralded that “not all the users of Local Git were impacted.”

“Customers who deployed code to App Service Linux via Local Git after files were already created in the application were the only impacted customers. Azure App Service Windows is not impacted, as it runs in an IIS-based environment,” the tech giant said.

Contact Us

More New Articles: