Mumbai's power cut

Researchers urge all Microsoft cloud users to change digital access keys

Researchers who are credited for having discovered a security flaw in Microsoft’s cloud service, Azure, have on Saturday urged all Microsoft cloud users, and not just the 3,300 people who had been notified earlier, to change their digital access keys.

Microsoft cloud access keys
Image Credits: Microsoft

Major Danger Avoided?

Researchers at cloud security firm Wiz had discovered a major security flaw in the tech giant’s cloud service earlier this month. This flaw, they claimed, had created a sort of data back door that could allow threat actors to get their hands on primary digital keys of most users of the Cosmo’s DB, a database system. Upon gaining access to these keys, hackers could steal, change, or even alter millions of records stored in the same.

Some users were asked to alter their digital access keys by Microsoft itself on Thursday, following which, the company issued a statement saying that it had no reason to believe that attackers had used the flaw to break into customers’ data. As per the statement, during its probe into the matter, the company had identified only the activity from the researchers, with no other form of unauthorized activity being detected. It further added that customers had been informed of the flaw, and had been advised to regenerate their primary digital keys as a precautionary measure.

Strongly Encouraged

However, the Cybersecurity and Infrastructure Security Agency under the Department of Homeland Security has “strongly encouraged” all Azure Cosmos DB users to switch to new certificate keys, something which the experts at Wiz have agreed with. Ami Luttwak, Chief Technology Officer at the organization, has said that it remains “really hard” for the company to say for sure that the flaw has never been used. To add to this concern, Microsoft has not been able to provide any straight answer to the question of whether or not it has comprehensive logs regarding the two years when the feature was “misconfigured,” or if it had used any other method to rule out its abuse.

Spokesperson Ross Richendrfer has declined to answer questions, but has claimed that the tech giant has in fact “expanded its search” to include instances beyond the activity from the researchers, in a bid to look for any current unauthorized activity, or detect “similar events in the past.”

Wiz too, has said that Microsoft has cooperated with it during the research, but adds that the firm didn’t divulge how it could be sure that customers weren’t at risk.