Microsoft has warned thousands of its Azure cloud computing customers, including many Fortune 500 companies, about a vulnerability that caused their data to be completely exposed over the past two years.
A bug in Microsoft’s Azure Cosmos DB database product left more than 3,300 Azure customers open to completely unrestricted access from attackers. The vulnerability was introduced in 2019 when Microsoft added a data visualization feature called the Jupyter Notebook to Cosmos DB. The feature was turned on by default for all Cosmos DBs in February 2021.
A list of Azure Cosmos DB clients includes companies such as Coca Cola, Liberty Mutual Insurance, ExxonMobil and Walgreens, just to name a few.
“This is the worst cloud vulnerability you can imagine,”
Despite the severity and risk presented, Microsoft has not seen any signs of vulnerability leading to illegal data access. “There is no evidence that this technique was exploited by malicious actors,” said Microsoft Bloomberg in an e-mail message. “We are not aware that customer data is available due to this vulnerability.” Microsoft paid Wiz $ 40,000 for the discovery, according to Reuters.
In a detailed blog post, Wiz says that the vulnerability introduced by Jupyter Notebook allowed the company’s researchers to access the primary keys that secured the Cosmos DB databases for Microsoft customers. With the mentioned keys, Wiz had full read / write / delete access to the data of several thousand Microsoft Azure customers.
Wiz says it discovered the problem two weeks ago, and Microsoft disabled the vulnerability within 48 hours of Wiz reporting it. However, Microsoft cannot change customers’ primary access keys, so the company sent an email to Cosmos DB customers to manually change the keys to reduce exposure.
Today’s problem is just the latest security nightmare for Microsoft. The company had some of the source code stolen by SolarWinds hackers in late December, Exchange email servers were hacked and involved in ransomware attacks in March, and a recent typo allowed attackers to take over computers with system-level privileges. But with world data increasingly moving to centralized cloud services like Azure, today’s revelation may be the most worrying development yet for Microsoft.