The Microsoft Azure Cosmos DB could have been exposed for years, experts say.
Microsoft has warned thousands of its cloud computing customers that intruders could have the ability to read, change or even delete their main databases, according to reporting in Reuters. Microsoft issued the warning to all customers using the Microsoft Cosmos DB. Those affected include some of the world’s largest companies.
A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. Wiz Chief Technology Officer Ami Luttwak is a former chief technology officer at Microsoft’s Cloud Security Group.
Because Microsoft cannot change those keys by itself, it emailed the customers Thursday telling them to create new ones. Microsoft agreed to pay Wiz $40,000 for finding the flaw and reporting it.
Microsoft rushes to reassure its customers
“We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure,” Microsoft told Reuters.
Microsoft’s email to customers said there was no evidence the flaw had been exploited. “We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key,” the email said.
“This is the worst cloud vulnerability you can imagine. It is a long-lasting secret,” Luttwak said. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.” Luttwak’s team found the problem, dubbed ChaosDB, on Aug. 9 and notified Microsoft Aug. 12, he added.
The flaw was in Jupyter Notebook, a visualization tool. This tool has been available for years, but starting in February the Microsoft system enabled Jupyter by default. After Reuters reported on the flaw, Wiz detailed the issue in a blog post.
Microsoft told Reuters that “customers who may have been impacted received a notification from us,” but provided no further details.