Microsoft has alerted thousands of Azure cloud computing customers, many Fortune 500 companies, to a vulnerability that leaves their data exposed for two years.
An attack vector for Microsoft's Azure Cosmos DB database product was able to access more than 3300 Azure customers unrestricted. This vulnerability was introduced by Microsoft in 2019, when they added a data visualization tool called Jupyter Notebook for Cosmos DB. In February 2021, all Cosmos DBs were automatically set to this feature.
Companies like Walgreens, Liberty Mutual Insurance and ExxonMobil are just a few of the Azure Cosmos DB clients.
We were able access any customer database we needed
This vulnerability is the most serious you can imagine for cloud computing, according to Ami Luttwak (CTO of Wiz), the security company that discovered it. This is Azure's central database, and it allowed us to access any customer database we needed.
Microsoft has not seen evidence that the vulnerability could allow for illicit data access despite the risk and severity. Microsoft emailed Bloomberg that there is no evidence that this technique has been exploited by malicious actors. According to Reuters, we are unaware of any customer data being accessed due to this vulnerability.
Wiz explains in a blog post that Jupyter Notebook's vulnerability allowed researchers to access the primary keys that secure the Cosmos DB databases of Microsoft customers. Wiz was able to read, write, and delete the data of many thousand Microsoft Azure customers using these keys.
Wiz claims that the vulnerability was discovered two weeks ago. Microsoft fixed the issue within 48 hours after Wiz reported it. Microsoft cannot change the primary access keys of its customers, so Microsoft emailed Cosmos DB customers asking them to manually modify their keys to reduce exposure.
Microsoft's latest security problem is today's issue. SolarWinds hackers stole some of the company's source code at the end December. In March, ransomware attacks on its Exchange email servers led to the breach of their Exchange email servers. A recent printer flaw also allowed attackers access computers with system-level privileges. Microsoft's most worrying development is likely to be today's revelation, as the world's data shifts to cloud services like Azure.