Microsoft alerted thousands of customers last Thursday (26) to a flaw that allowed intruders to access, modify and delete third-party databases in its cloud service.
The error happened in the Jupyter Notebook data visualization tool. It is available on the Cosmos DB database service, used by thousands of companies that subscribe to Microsoft’s Azure cloud platform.
The vulnerability was identified by researchers at security firm Wiz. They found that anyone could access keys that give access to the databases of other Cosmos DB clients.
The Reuters agency had access to an email sent to clients in which Microsoft says there is no evidence that the flaw has been exploited. “We have no indication that external entities, in addition to the researcher (Wiz), had access to the primary key,” said the company.
- ‘Big techs’ promise billion dollar investment in digital security after meeting with Biden
- Leaks at companies expose government employees’ passwords, report says
In the message, the company guided its customers to create new keys for their databases. The company paid $40,000 to Wiz as a reward for identifying the flaw.
“We fixed the issue immediately to keep our customers safe and secure. We thank security researchers for working under coordinated vulnerability disclosure,” Microsoft told Reuters.
Questioned by G1, Microsoft did not inform if there are customers in Brazil that were affected by the failure.
According to the researchers, the breach occurred due to incorrect settings in Jupyter Notebook, used to select data and create graphs from it. It was added to Cosmos DB in 2019 and became enabled by default in February 2021.
A bug in the solution allowed increasing privileges to access other customers’ data visualization areas. From there, it was possible to gain access to the Cosmos DB’s primary keys, which gave access to all of an account’s information.
Wiz’s chief technology officer, Ami Luttwak, said the problem, dubbed ChaosDB, was identified on Aug. 9 and reported to Microsoft on Aug. 12.
According to Wiz, Microsoft only reported the case to customers who had the keys visible in August. For Luttwak, however, attackers may have even obtained keys from clients who were not notified.
“This is the worst cloud vulnerability you can imagine. It’s an enduring secret,” Luttwak told Reuters. “It’s Azure’s central database, and we were able to access any consumer database we wanted.”