According to a copy of the email and a cyber security researcher, Microsoft alerted thousands of its cloud computing customers, including some of the world’s largest organizations, that outsiders may read, edit, or even delete their main databases.
Microsoft Azure’s main Cosmos DB database is vulnerable. Wiz’s research team realized it was possible to gain access to keys that controlled access to databases owned by tens of thousands of companies. Ami Luttwak, Wiz’s Chief Technology Officer, was previously the CTO of Microsoft’s Cloud Security Group.
Because Microsoft is unable to alter those keys on its own, consumers were emailed on Thursday and told to create new ones. According to an email from Microsoft to Wiz, the company promised to pay him $40,000 for discovering and disclosing the problem.
“To keep our consumers safe and secure, we swiftly addressed the problem. We appreciate the security experts’ efforts in coordinating vulnerability disclosure “Reuters reported on Microsoft’s statement.
According to Microsoft’s notification to customers, there was no evidence that the weakness had been exploited. The email stated, “We have no indication that external entities other than the researcher (Wiz) had access to the primary read-write key.”
“This is the worst cloud flaw you can think of. It’s been kept a secret for a long time,” Luttwak told Reuters. “This is Azure’s core database, and we were able to connect to whatever client database we wanted.”
Luttwak’s team discovered the issue, codenamed ChaosDB, on August 9 and alerted Microsoft on August 12, according to Luttwak.
The weakness was found in Jupyter Notebook, a visualization tool available for years but only enabled by default in Cosmos in February. Wiz highlighted the problem in a blog post after Reuters reported on it.
Even clients who have not been contacted by Microsoft may have had their keys swiped by attackers, giving them access until their keys are changed, according to Luttwak. When Wiz was working on the problem, Microsoft only informed customers whose keys were displayed this month.
“Customers who may have been impacted received a message from us,” Microsoft told Reuters without going further.
Microsoft has been plagued by bad security news for months. The same alleged Russian government hackers who entered SolarWinds and stole Microsoft source code broke into the company. Then, while a patch was being created, a large number of hackers got into Exchange email servers.
A recently implemented repair for a printer fault that allowed for computer takeovers had to be redone several times. Last week, another Exchange problem triggered an urgent U.S. government warning that clients must apply patches given months ago because ransomware gangs are now exploiting the flaw.
Problems with Azure are particularly concerning because Microsoft and other security experts have been urging businesses to forgo much of their on-premises infrastructure in favor of the cloud.
Cloud attacks, on the other hand, are more unusual, but they can be more catastrophic when they do happen. Furthermore, some are never made public.