With an email sent yesterday August 26 to his customers, Microsoft has warned of a vulnerability which he left exposed i database of thousands of cloud users. These include some of the largest technology companies in the world, which use i Cosmos DB di Azure to manage their data. The vulnerability was noticed by Wiz, which Microsoft rewarded $ 40,000 for finding the flaw.
Microsoft: Vulnerability exposes thousands of customers’ cloud databases
A Wiz research team discovered a vulnerability that would have allowed access to customer databases, leaving the possibility of read, modify and even delete customer data. “We solved this problem right away to keep our customers safe and secure. We thank the security researchers for sharing the vulnerability with us, ”Microsoft told Reuters.
According to the email sent to customers, Microsoft has “no indication that entities external to the researchers (Wiz) had access” to customer data. So there shouldn’t be any problems for those using Azure Cosmos DB. But that doesn’t erase the gravity of the fact, according to Wiz’s chief security officer (former Microsoft cloud security CTO). Ami Luttwak. “This is the worst kind of cloud vulnerability imaginable. It is a secret that will last. This is the Azure central database and we were able to access any customer database ”.
Wiz’s team identified the problem, called ChaosDB, on August 9, and reported it to Microsoft on the 12th. The flaw was in a visualization tool called Jupyter Notebook, available for years but enabled by default in Cosmos starting from February.
This security flaw is likely to turn into a reputational problem for Microsoft, which has had more than one problem cybersecurity in the last year. Especially since it touches the tool Azure, which many companies now prefer to on-premise private cloud. One of the main reasons for choosing cloud services from companies like Microsoft or Amazon is dedicated security. These kinds of problems could cost the trust of some large company. For this reason Microsoft is emphasizing the new investments in terms of safety.
If you want to learn more about the technical details of the attack, you can find the complete Wiz report here.