Microsoft issued last Thursday (26) an alert to its corporate customers about a vulnerability in the Azure cloud platform that exposed its databases to criminal action. According to the company, the problem would allow an attacker to read, edit or even permanently delete documents stored in the non-relational Cosmos DB system.
A team at security firm Wiz discovered that the loophole could be exploited to access keys that controlled access to databases of thousands of companies. The problem is considered serious, especially since the company does not have the ability to change potentially compromised keys — this action must be done by the affected customers themselves.
In a statement sent to Reuters, Microsoft said it had already resolved the issue with help from Wiz, which received a $40,000 ($208) reward for contributing to the discovery and notification. “We thank the security researchers for working under threat disclosure coordination,” the company said.
Want to catch up on the best tech news of the day? Access and subscribe to our new youtube channel, Canaltech News. Everyday a summary of the main news from the tech world for you!
In the message sent to its customers, the Seattle-based company said there were no signs that the loophole had been actively exploited, and that only Wiz had access to the databases. According to the security company’s chief technology officer, Ami Luttwak, the discovery was the biggest cloud vulnerability imaginable and guaranteed access to data for any consumer subscribing to Azure.
Customers may have been affected.
Wiz discovered the bug on August 9th and reported it to Microsoft on August 12th. The problem was found in the Jupyter Notebook tool, which was enabled on Cosmos DB in February this year. While Microsoft claims that no customers have been affected, the security company warns that unreported names may have been compromised, but they are not aware of it.
The problem comes at a time when Microsoft 365 and other cloud systems offered by the corporation have been victims of attacks and scams at a frequent pace. The situation is especially worrisome for large corporations, who find cloud and online services a way to outsource costs and streamline processes — and who depend on their security to protect data related to both themselves and their customers and suppliers.
Source: Reuters, Wiz
Did you like this article?
Subscribe your email on Canaltech to receive daily updates with the latest news from the world of technology.