[Contribution] Azure APIM Cross-Tenant Signup Bypass

[bountyyfi]

Summary (give a brief description of the issue)

Azure APIM Cross-Tenant Signup Bypass

Summary

Azure API Management Developer Portal allows attackers to register accounts on any APIM instance with Basic Authentication enabled, even when signup is disabled in UI. The signup API remains active regardless of UI settings.

Timeline

• 2025-09-30: Discovered & reported to MSRC
• 2025-10-30: MSRC closed as “not a vulnerability”
• 2025-11-01: Re-reported with details
• 2025-11-20: MSRC closed as “by design”
• 2025-11-20: Reported to CERT-FI
• 2025-11-26: Public disclosure

Root Cause

1. UI-only restriction: Disabling signup hides the form but backend API stays active
2. No tenant validation: Signup API accepts cross-tenant requests via Host header manipulation

Attack

1. Access any APIM portal with signup enabled (or own instance)
2. Intercept signup request
3. Change Host header to target instance
4. Submit → account created on target despite “disabled” signup

POST /signup HTTP/1.1
Host: target-apim.developer.azure-api.net  ← Changed
Origin: https://attacker-apim.developer.azure-api.net
Content-Type: application/json

{"challenge":{...},"signupData":{"email":"attacker@email.com",...}}

Impact

• Cross-tenant account creation on any Basic Auth APIM
• Bypass admin controls
• Access to potentially sensitive API documentation
• Ability to request API subscription keys
• External access to “internal” portals

Vulnerable If

• Basic Authentication configured (even with signup “disabled”)
• Developer Portal deployed & accessible

Not Vulnerable If

• Basic Authentication provider completely removed
• Only Azure AD/OAuth configured
• Developer Portal disabled

Mitigation: Remove Basic Authentication provider entirely—disabling signup in UI is insufficient.

References

https://github.com/bountyyfi/Azure-APIM-Cross-Tenant-Signup-Bypass/