A security firm discovered an issue that allowed them to access a large amount of Microsoft Azure cloud services customers’ data, they said it is the “worst cloud vulnerability you can imagine.” Microsoft states that it is not aware that the security flaw has been exploited by malicious actors.
The company that discovered the flaw was able to access databases and they had the ability to not only view content but also change and delete information from the Cosmos database.
It was a research team at security firm Wiz who discovered that they were able to access the keys that control access to the databases of thousands of companies. Wiz’s chief technology officer, Ami Luttwak, is a former manager within Microsoft’s cloud security group, so he also played with an advantage when it came to discovering the flaw.
To get to the Cosmos database, first, the security firm gained access to the primary keys of the customer database. It should be remembered that in 2019, Microsoft added a feature called Jupyter Notebook to the Cosmos database that allows customers to visualize their data and create custom views. The feature was automatically enabled for all Cosmos databases in February 2021.
Wiz reminds us that some of the companies using this Cosmos database are giants such as Coca-Cola, Exxon-Mobil and Citrix, as can be seen on this service’s own official website.
Microsoft cannot change these keys
Since Microsoft can’t change those keys itself, on Thursday it sent an email to customers telling them to create new ones. Microsoft has agreed to pay Wiz $40,000 for finding the bug and reporting it. Microsoft officials have not commented further on the security problem.
In an email that Microsoft sent to Wiz the company says it had fixed the vulnerability and that there was no evidence showing the bug had been exploited. “We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key,” the mail says.
“This is the worst cloud vulnerability you can imagine. It is a long-lasting secret,” Wiz Chief Technology Officer Ami Luttwak states. “This is the central database of Azure, and we were able to get access to any customer database that we wanted,” he adds.