A Microsoft failure exposed the data of thousands of companies for two years. There is no indication that the data has been accessed by attackers. It affects large companies that use the Microsoft cloud. Microsoft has warned customers of its Azure cloud service that a vulnerability allowed unrestricted access to their data.
Specifically, the ‘bug’ was in the database service, Azure Cosmos DB, and was introduced by mistake in 2019, when Microsoft added a new data visualization functionality called Jupyter Notebook. Although initially it was only available if it was activated manually, since last February 2021 it has been active by default in all Cosmos DB accounts.
Cosmos DB is used by some of the largest companies on the planet, including Coca-Cola, Exxom-Mobil, ABB, Citrix, BMI and many more, some on the Fortune 500 list. The vulnerability has affected 3,300 customers, which they have already been notified by Microsoft that their data was exposed. However, the company has also clarified that it has no evidence that the vulnerability has been exploited by malicious users, and that it is not aware of any access to customer data in this way, according to Reuters .
The discoverer of this security hole was Wiz , a cybersecurity company that in its blog explains the technical details of the problem, which are reduced to a bad configuration of the service that allowed anyone to download, delete and manipulate the databases stored in the service, in addition to accessing the Cosmos DB architecture.
Wiz has made this vulnerability public after notifying Microsoft and that it disabled the function, just 48 hours later; Although Wiz praises the speed of the reaction, he also criticizes the fact that the vulnerability is not fully closed yet. If an attacker had been able to access the databases in this way, they would still have the access keys; Microsoft cannot change them manually, and that is why it has contacted customers, asking them to change them and prevent future improper access, always in the event that someone else discovered this ‘bug’ before Wiz.
At the moment, it appears that only the Wiz researchers discovered the vulnerability, and were able to exploit it to break into Azure databases; they claim that they were able to access any database they wanted, and for that reason, they call this the “worst vulnerability you can imagine”.