Microsoft Warns Cloud Customers Of Potential Breach

Whistleblower leak keyboard security breach © CarpathianPrince Shutterstock

Leaky cloud storage bucket. Thousands of Microsoft Azure customers are warned of data exposure risk in Redmond’s Cosmos database

Microsoft has reportedly emailed thousands of its cloud customers, including some of the world’s largest companies, warning of a potential data exposure risk with its Cosmos database.

According to Reuters, intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher.

The cyber security researchers in question are Wiz, which detailed in a blog post how it was able to hack thousands of Azure customers’ databases.


Cosmos database flaw

The vulnerability is located in Microsoft Azure’s flagship Cosmos database, and specifically the access keys that control access to databases held by thousands of companies.

Wiz Chief Technology Officer Ami Luttwak is reportedly a former chief technology officer at Microsoft’s Cloud Security Group.

Reuters reported that because Microsoft cannot change those keys by itself, it emailed the customers Thursday telling them to create new ones.

And Redmond has agreed to pay Wiz $40,000 for finding the flaw and reporting it, according to an email it sent to Wiz.

Microsoft’s email to customers reportedly said it has fixed the vulnerability and that there was no evidence the flaw had been exploited.

“We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key,” according to a copy of the email seen by Reuters.

“This is the worst cloud vulnerability you can imagine. It is a long-lasting secret,” Luttwak told Reuters. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”

Luttwak’s team found the problem, dubbed ChaosDB, on 9 August and notified Microsoft 12 August, Luttwak reportedly said.

Action needed

Wiz however has warned that while Microsoft acted quickly to address the problem, it feels that many other CosmosDB customers, who have not been emailed by Microsoft, are potentially at risk.

“Microsoft’s Security Team deserves enormous credit for taking immediate action to address the problem,” said Wiz in its blog post. “We rarely see security teams move so fast! They disabled the vulnerable notebook feature within 48 hours after we reported it. It’s still turned off for all customers pending a security redesign.”

“However, customers may still be impacted since their primary access keys were potentially exposed,” Wiz warned “These are long-lived secrets and in the event of a breach, an attacker could use the key to exfiltrate databases. Today Microsoft notified over 30 percent of Cosmos DB customers that they need to manually rotate their access keys to mitigate this exposure.”

“Microsoft only emailed customers that were affected during our short (approximately weeklong) research period,” said Wiz. “However, we believe many more Cosmos DB customers may be at risk. The vulnerability has been exploitable for at least several months, possibly years.”

“Every Cosmos DB account that uses the notebook feature or that was created after February 2021 is potentially exposed,” the researchers warned. “As a precaution, we urge every Cosmos DB customer to take steps to protect their information.”

Previous incidents

The revelation by Wiz of the flaw comes after a number of security scares for Microsoft in recent times – the most notable of which was caused by the SolarWinds supply chain compromise.

The hackers that breached that government software contractor had managed to implant malicious software in Redmond’s internal systems. Those hackers also viewed Microsoft’s source code repositories.

Last month Microsoft had to repeatedly re-engineer a fix for a printer flaw that allowed computer takeovers.

Last week, a Microsoft Exchange email flaw prompted an urgent US government warning that customers need to install patches.