Microsoft has issued a warning to their Azure cloud computing customers regarding a vulnerability that has left their data completely exposed for the last two years.
Over 3,300 Azure customers have been open to unrestricted access by attackers because of a flaw in Microsoft’s Azure Cosmos DB database product. The vulnerability goes back to 2019 when Microsoft inserted a data visualization feature called Jupyter Notebook to Cosmos DB. The feature was turned on by default for all Cosmos DBs in February 2021.
Fortune 500 companies like Coca Cola, Liberty Mutual Insurance, ExxonMobil, and Walgreens, have all been affected.
“This is the worst cloud vulnerability you can imagine,” said Ami Luttwak, Chief Technology Officer of Wiz, the security company that discovered the issue. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
Fortunately, even though hackers had access, Microsoft hasn’t seen any evidence of the vulnerability leading to wrongful data access. “There is no evidence of this technique being exploited by malicious actors,” Microsoft told Bloomberg in an emailed statement. “We are not aware of any customer data being accessed because of this vulnerability.”
Microsoft paid Wiz $40,000 for the discovery, according to Reuters.
Wiz states in a blog post, that the vulnerability allowed the company’s researchers to gain access to the primary keys that secured the Cosmos DB databases for Microsoft customers. With these keys, Wiz had full read / write / delete access to the data of several thousand Microsoft Azure customers.
Wiz discovered the flaw two weeks ago and Microsoft quickly disabled the vulnerability within 48 hours of Wiz reporting it. But, Microsoft can’t change its customers’ primary access keys, which is why the company contacted Cosmos DB customers to manually change their keys in order to mitigate exposure.
Cloud computing has it’s security issues. Reach out to MicroPac today for a cybersecurity solution.