Microsoft Azure – Data Leaks?
Thousands of Microsoft Azure cloud computing clients, including many Fortune 500 firms, have been notified of a vulnerability that has left their data entirely exposed for the past two years.
A weakness in Azure’s Cosmos DB database platform allowed attackers, complete unlimited access to more than 3,300 Azure customers. When Microsoft implemented a data visualisation function called Jupyter Notebook to Cosmos DB in 2019, the vulnerability was exposed. In February 2021, the feature became the default for all Cosmos DBs.
Clients of Azure
Companies like Coca-Cola, Liberty Mutual Insurance, ExxonMobil, and Walgreens, to mention a few, are among the Azure Cosmos DB clients.
“This is the worst cloud vulnerability you can imagine,” said Ami Luttwak, CEO of Wiz, the security firm that identified the flaw. “This is Azure’s core database, and we were able to connect to whatever client database we wanted.”
Despite the severity and risk, Microsoft has found no evidence that the vulnerability has resulted in unauthorised data access. In an emailed reply to Bloomberg, Microsoft said, “There is no indication of this technique being exploited by hostile actors. As a result of this vulnerability, we are not aware of any client data being accessed.” According to Reuters, Microsoft paid Wiz $40,000 for the discovery.
Jupyter Notebook at fault
Wiz claims that the vulnerability presented by Jupyter Notebook allowed the company’s researchers to obtain access to the primary keys that secured Microsoft clients’ Cosmos DB databases in a comprehensive blog post. Wiz had complete read, write, and delete access to the data of tens of thousands of Azure users with these keys.
According to Wiz, the vulnerability was identified two weeks ago, and Microsoft disabled it within 48 hours of Wiz disclosing it. Microsoft, on the other hand, is unable to alter its customers’ primary access keys, which is why it urged Cosmos DB clients to manually update their keys in order to reduce risk.
Today’s problem is Microsoft’s latest security nightmare. In December, SolarWinds hackers stole part of the company’s source code, in March, its Exchange email servers were penetrated and implicated in ransomware attacks, and in April, a printer hole allowed attackers to take over PCs with system-level rights. However, with the world’s data increasingly migrating to centralised cloud services like Azure, Microsoft’s latest disclosure could be the most concerning yet.