Thousands of Microsoft Azure cloud computing clients, including several Fortune 500 organizations, have been notified of a vulnerability that has left their data totally exposed for the past two years.
A vulnerability in Microsoft’s Azure Cosmos DB database system allowed attackers total unfettered access to more than 3,300 Azure customers. When Microsoft implemented a data visualization capability called Jupyter Notebook to Cosmos DB in 2019, the vulnerability was created. In February 2021, the functionality became default for all Cosmos DBs.
Companies like Coca-Cola, Liberty Mutual Insurance, ExxonMobil, and Walgreens, to mention a few, are among the Azure Cosmos DB clients.
“This is the worst cloud vulnerability you can imagine,” said Ami Luttwak, CEO of Wiz, the security firm that found the flaw. “This is Azure’s core database, and we were able to connect to whatever client database we wanted.”
Despite the severity and danger, Microsoft has found no indication that the vulnerability has resulted in unauthorized data access. In an emailed response to Bloomberg, Microsoft said, “There is no indication of this approach being abused by bad actors.” “As a result of this vulnerability, we are not aware of any client data being accessed.” According to Reuters, Microsoft paid Wiz $40,000 for the finding.
Wiz claims that the vulnerability exposed by Jupyter Notebook allowed the company’s researchers to obtain access to the primary keys that safeguarded Microsoft clients’ Cosmos DB databases in a lengthy blog post. Wiz had complete read, write, and delete access to the data of tens of thousands of Microsoft Azure users using these keys.
According to Wiz, the vulnerability was found two weeks ago, and Microsoft disabled it within 48 hours of Wiz disclosing it. Microsoft, on the other hand, is unable to alter its customers’ primary access keys, which is why it contacted Cosmos DB users to manually update their keys in order to reduce risk.
Today’s problem is Microsoft’s latest security nightmare. In December, SolarWinds hackers stole part of the company’s source code, in March, its Exchange email servers were compromised and implicated in ransomware attacks, and in April, a printer weakness allowed attackers to take over machines with system-level access. However, with the world’s data increasingly migrating to centralized cloud services like Azure, Microsoft’s latest discovery might be the most concerning yet.