Microsoft has warned thousands of its Azure cloud computing customers, including many Fortune 500 companies, about a vulnerability that left their data completely exposed for the last two years. Microsoft warns its cloud computing customers that intruders could have the ability to read, change or even delete their main databases. This vulnerability is said to be caused by a flaw in Microsoft’s Azure Cosmos DB database product and has left more than 3,300 Azure customers open to complete unrestricted access by attackers. The vulnerability was introduced in 2019 when Microsoft added a data visualization feature called Jupyter Notebook to Cosmos DB. Cosmos DB is Microsoft’s proprietary globally distributed, multi-model database service “for managing data at planet-scale” launched in May 2017. The feature was turned on by default for all Cosmos DBs in February 2021.
A listing of Azure Cosmos DB clients includes companies like Coca-Cola, Liberty Mutual Insurance, ExxonMobil, and Walgreens, to name just a few. According to Ami Luttwak, (a former chief technology officer at Microsoft’s Cloud Security Group), Chief Technology Officer of Wiz the security company that discovered the issue, he says “This is the worst cloud vulnerability you can imagine.” Luttwak added that “This is the central database of Azure, and we were able to get access to any customer database that we wanted.” Luttwak’s team found the problem, dubbed ChaosDB, on Aug. 9 and notified Microsoft on Aug. 12.
In a blog post, Wiz says that the vulnerability introduced by Jupyter Notebook allowed the company’s researchers to gain access to the primary keys that secured the Cosmos DB databases for Microsoft customers. With said keys, Wiz had full read/write/delete access to the data of several thousand Microsoft Azure customers. Wiz further says that it discovered the issue two weeks ago and Microsoft disabled the vulnerability within 48 hours of Wiz reporting it. However, Microsoft can’t change those customers’ primary access keys themselves, which is why the company opted into sending emails to Cosmos DB customers to manually change their keys in order to mitigate exposure. Microsoft paid Wiz $40,000 for the discovery.
Despite the severity and all the risk presented, Microsoft hasn’t seen any evidence of the vulnerability leading to illicit data access. “There is no evidence of this technique being exploited by malicious actors,” said Microsoft. “We are not aware of any customer data being accessed because of this vulnerability.” In an update posted to the Microsoft Security Response Center, the company said its forensic investigation included looking through logs to find any current activity or similar events in the past. “Our investigation shows no unauthorized access other than the researcher’s activity,” said Microsoft.
Today’s issue is just the latest security nightmare for Microsoft. The company had some of its source code stolen by SolarWinds hackers at the end of December, its Exchange email servers were breached and implicated in ransomware attacks in March, and a recent printer flaw in July, allowing attackers to take over computers with system-level privileges. But with the world’s data increasingly moving to centralized cloud services like Azure, the latest revelation could be the most troubling development yet for Microsoft.