It was found that Microsoft Azure's flagship Cosmos DB database was vulnerable to access from security firm Wiz. They had been able to access keys that controlled access to databases held by thousands of companies.
The company warned thousands of its cloud computing customers, including some of the largest companies on earth, that users could be able to read, edit or even delete their main databases, according to the email and a cyber security researcher.
It was found that Microsoft Azure's flagship Cosmos DB database was vulnerable to access from security firm Wiz. They had been able to access keys that controlled access to databases held by thousands of companies. A former CTO at Microsoft's Cloud Security Group, Ami Luttwak is the Chief Technology Officer of Wiz.
The message instructed customers to reset their keys since Microsoft cannot do it alone. According to an email Microsoft sent to Wiz, it took Wiz four days to find the flaw and report it. Microsoft agreed to pay Wiz $40,000 in compensation for finding the flaw and reporting it.
In a statement to Reuters, Microsoft said: "We fixed this issue immediately to keep our customers safe. We thank the security researchers who worked under coordinated vulnerability disclosure."
According to Microsoft's email to customers, there was no evidence the flaw had been exploited. "We don't believe external entities outside the researcher (Wiz) have access to the primary read-write key," it stated.
The cloud vulnerability, Luttwak told Reuters, is the worst cloud vulnerability that anyone could imagine. It is a secret that has lasted a long time. The centralized database of Azure was compromised. We were able to gain access to any customer database we desired."
According to Luttwak, the problem was discovered by his team on Aug. 9 and notified Microsoft on Aug. 12.
The weakness was found in Jupyter Notebook, a visualisation tool that has been available for years but was only enabled by default in Cosmos in February. Wiz highlighted the problem in a blog post after Reuters reported on it.
Even clients who have not been contacted by Microsoft may have had their keys swiped by attackers, giving them access until their keys are changed, according to Luttwak. When Wiz was working on the problem, Microsoft only informed customers whose keys were displayed this month.
This is original content from NewsBreak’s Creator Program. Join today to publish and share your own content.