Microsoft has alerted thousands of Azure cloud computing customers, including several Fortune 500 companies, to the weakness that has allowed their data to be fully disclosed in the past two years.
The Microsoft Azure Cosmos DB database crash has left more than 3,300 Azure clients completely open to potential attackers since 2019, when Microsoft added a new data visualization feature called Jupyter Notebook to Cosmos DB. This feature was enabled by default for all Cosmos databases in February 2021.
“This is the biggest cloud weakness imaginable,” said Ami Luttwak, CTO of Wiz, the security company that discovered the problem. “This is the central Azure database and we were able to access any other customer database.”
Despite the severity and risks, Microsoft found no evidence of weakness that led to illegal access to data. “There is no evidence that this method is being used by hackers,” Microsoft told Bloomberg in an email. “We are not aware of any customer data accessed due to this vulnerability.” Microsoft paid Wiz $ 40,000 to open it, according to Reuters.
According to a detailed Wiz blog post, a Jupyter Notebook vulnerability allowed the company’s researchers to gain access to the primary keys that protected Cosmos DB databases for Microsoft customers. With these keys, Wiz had full read, write, and even delete access for thousands of Microsoft Azure customers.
Wiz says it discovered the problem two weeks ago, and Microsoft disabled the tool 48 hours after Wiz reported it. However, Microsoft is unable to change its customers’ primary access keys, and so the company sent Cosmos DB customers an email asking them to manually change their keys to try to mitigate the vulnerability due to this vulnerability.
