Microsoft reportedly warned thousands of Microsoft Azure cloud clients, including 500 Fortune companies that use Azure cloud, that their data has been exposed for over two years.
Microsoft warns Azure clients of exposed data
According to The Verge, the vulnerability was introduced in 2019 when Microsoft added a data visualization feature called Jupyter Notebook to Cosmos DB. The feature was turned on by default for all Cosmos DBs in February 2021, according to The Verge.
The list of Azure Cosmos DB clients includes companies such as Coca-Cola, Liberty Mutual Insurance, Caltex, Quest, Skype, and more.
Wiz security company reportedly discovered the vulnerability after they hacked thousands of Azure customers’ databases. Microsoft, however, said that there is no evidence of the vulnerability leading to illicit data access.
“There is no evidence of this technique being exploited by malicious actors. We are not aware of any customer data being accessed because of this vulnerability,” Microsoft told reporters.
Wiz explains how they discovered the vulnerability
“This is the worst cloud vulnerability you can imagine,” said Ami Luttwak, Chief Technology Officer of Wiz.
“This is the central database of Azure, and we were able to get access to any customer database that we wanted,” he added.
According to an article by Reuters, Microsoft paid the security company R596 130 ($40 000) for making the discovery. Wiz said that they gained access to customers’ Cosmos DB primary keys, which are, according to the company “the holy grail of attackers” — they use them to gain access to the database.
The security company commended Microsoft in a blog post for acting swiftly after they had reported what they discovered about the customers’ database. Microsoft disabled the vulnerable notebook feature within 48 hours, the company said.
Wiz said that customers may still be impacted since their primary access keys were potentially exposed.