Microsoft on Thursday warned thousands of its cloud customers, including some of the world’s largest companies, that intruders may have gained the ability to read, change or even delete their key databases, according to a copy of the email and a researcher of cyber security.
The vulnerability is in the Cosmos DB database, Microsoft’s flagship Azure. A research team at security firm Wiz found it was able to access keys that control access to databases held by thousands of companies. Wiz Chief Technology Officer Ami Luttwak is a former Chief Technology Officer for Microsoft’s Cloud Security Group.
Since Microsoft cannot change these keys alone, it emailed customers on Thursday asking them to create new ones. Microsoft agreed to pay Wiz $40,000 for finding the bug and reporting it, according to an email sent to Wiz.
“We fixed the issue immediately to keep our customers safe and secure. We thank security researchers for working under coordinated vulnerability disclosure,” Microsoft told Reuters.
Microsoft’s email to customers said there was no evidence that the flaw had been exploited. “We have no indication that external entities, apart from the researcher (Wiz), had access to the primary key,” the email said.
“This is the worst cloud vulnerability you can imagine. It’s an enduring secret,” Luttwak told Reuters. “It’s Azure’s central database, and we were able to access any consumer database we wanted.”
Luttwak’s team found the problem, dubbed ChaosDB, on Aug. 9 and notified Microsoft on Aug. 12, Luttwak said.
The glitch was in the visualization tool called Jupyter Notebook, which has been around for years, but was turned on by default in Cosmos as of February. After Reuters published the flaw, Wiz detailed the issue in a blog.
Luttwak said that even consumers who were not notified by Microsoft could have had their keys stolen by intruders, which would have given them access until those keys were modified. Microsoft only notified customers whose keys were visible this month when Wiz was working on the issue.
That revelation comes after months of bad security news for Microsoft. The company was breached by the same hackers suspected of being from the Russian government who infiltrated SolarWinds and stole Microsoft’s source code. Later, several hackers broke into Exchange mail servers while a patch was being developed.
The problems with Azure are of particular concern as Microsoft and outside security experts have been pushing companies to abandon their own infrastructure and rely on the cloud for more security.
But while cloud attacks are rarer, they can be more devastating when they occur. And besides, some are never released.