Vulnerability causing data exposure for years.
Microsoft has warned thousands of its Azure cloud-based customers that a vulnerability causes their data to be exposed for the past two years. On Thursday, Microsoft warned thousands of customers, including some of the biggest companies in the world, that a flaw in Azure left their data completely exposed for two years. Intruders even can change and delete the data.
A vulnerability on the Azure Cosmos DB database causes the database of over 3,300 to be completely exposed to attackers. This flaw came with a data visualization tool “Jupyter” that Microsoft added in the Cosmos DB. In February 2021, Microsoft turned this feature on by default for all the Cosmos DB users. A Wiz (security company who discovered the vulnerability) research team discovered they could access the keys which act as credentials to access Cosmos databases. Wiz Chief Technology Officer Ami Luttwak is a former chief technology officer at Microsoft’s Cloud Security Group, says Reuters.
“This is the worst cloud vulnerability you can imagine. This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
Microsoft wasn’t able to change those leaked keys itself, so they contacted their customers that they should change the keys. In a deal with Wiz, Microsoft agreed to pay them $40,000, according to an email from Microsoft to Wiz.
“We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure.”
-Microsoft to Reuters
There was a high risk of misusage of data, but Microsoft found no evidence yet. Microsoft said in an email to Bloomberg: “We are not aware of any customer data being accessed because of this vulnerability.” Wiz says that after they reported the issue, Microsoft fixed the issue within 24 hours.
Microsoft has a rich history of such vulnerabilities. Recently, Power Apps—a Microsoft-made tool to build web apps without coding, default permission settings in Microsoft-made app-building tool exposed records of 38 million users online.