According to a copy of the email and a cyber security researcher, Microsoft warned thousands of its cloud computing customers, including some of the world’s largest organisations, that outsiders might read, update, or even delete their major databases.
Microsoft Azure’s main Cosmos DB database is vulnerable. Wiz’s research team realised it was possible to gain access to keys that controlled access to databases owned by tens of thousands of companies. Ami Luttwak, Wiz’s Chief Technology Officer, was previously the CTO of Microsoft’s Cloud Security Group.
Because Microsoft is unable to alter those keys on its own, consumers were emailed on Thursday and told to create new ones. According to an email from Microsoft to Wiz, the company promised to pay him $40,000 for discovering and disclosing the problem.
“We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure,” Microsoft told Reuters.
Microsoft’s email to customers said there was no evidence the flaw had been exploited. “We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key,” the email said. “This is the worst cloud vulnerability you can imagine. It is a long-lasting secret,” Luttwak told Reuters. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
Luttwak’s team discovered the issue, codenamed ChaosDB, on August 9 and alerted Microsoft on August 12, according to Luttwak. The weakness was found in Jupyter Notebook, a visualisation tool that has been available for years but was only enabled by default in Cosmos in February. Wiz highlighted the problem in a blog post after Reuters reported on it.
Even clients who have not been contacted by Microsoft may have had their keys swiped by attackers, giving them access until their keys are changed, according to Luttwak. When Wiz was working on the problem, Microsoft only informed customers whose keys were displayed this month.
Microsoft told Reuters that “customers who may have been impacted received a notification from us,” without elaborating.
Microsoft has been plagued by bad security news for months. The same alleged Russian government hackers who entered SolarWinds and stole Microsoft source code broke into the company. Then, while a patch was being created, a large number of hackers got into Exchange email servers.
A recently implemented repair for a printer fault that allowed for computer takeovers had to be redone several times. Last week, another Exchange problem triggered an urgent U.S. government warning that clients must apply patches given months ago because ransomware gangs are now exploiting the flaw.
Problems with Azure are particularly concerning because Microsoft and other security experts have been urging businesses to forgo much of their on-premises infrastructure in favour of the cloud. Cloud attacks, on the other hand, are more unusual, but they can be more catastrophic when they do happen. Furthermore, some are never made public.
A federally funded research centre keeps track of all known software security issues and ranks them by severity. However, because there is no similar method for gaps in cloud architecture, many serious vulnerabilities go unnoticed by consumers, according to Luttwak.
