Microsoft Azure vulnerability exposed data of thousands of companies, potentially for years

Microsoft Azure Hero 4
Microsoft Azure Hero 4 (Image credit: Microsoft)

What you need to know

  • A vulnerability in Microsoft Azure left data from several Fortune 500 companies exposed.
  • It's believed that the vulnerability has been exploitable for several months and potentially years.
  • Microsoft has addressed the issue, though some organizations may need to take further action to mitigate the vulnerability.

Microsoft's Azure had a vulnerability that left data exposed, potentially for the last two years. The issue stems from a flaw in Microsoft's Azure Cosmos DB. The data of over 3,300 Azure customers could be accessed without restrictions by attackers that utilized the vulnerability.

Azure Cosmos DB is a database service for modern app development. Microsoft lists major customers of Azure Cosmos DB on its website, including Coca-Cola, Citrix, ExxonMobil, Liberty Mutual Insurance, and Albertsons-Safeway. Microsoft's Skype also uses Azure Cosmos DB.

Wiz discovered the vulnerability (via The Verge). Its chief technology officer, Ami Luttwak, said, "This is the worst cloud vulnerability you can imagine. This is the central database of Azure, and we were able to get access to any customer database that we wanted."

Microsoft added a feature called Jupyter Notebook to Cosmos DB in 2019. The feature lets people visualize data and create custom views. It was automatically enabled for all Cosmos DBs in February 2021. Due to a series of misconfigurations, Wiz was able to exploit Jupyter Notebook to gain privileged access to the primary keys of customers' Cosmos DBs. With the keys, Wiz gained full access to DBs with read, write, and delete permissions.

The issue was discovered two weeks ago, and Microsoft fixed it within 48 hours of Wiz reporting it. Because Microsoft can't change the primary access keys of customers, it had to tell customers to manually change keys, which mitigates exposure from the vulnerability.

Microsoft informed the 30% of its Cosmos DB customers that were affected by Wiz's research. Wiz believes that the vulnerability has been exploitable for at least several months, but that it could have been exploited for years.

While the security implications of the vulnerability are serious, Microsoft claims that there isn't evidence that it's been used by attackers to gain data. A statement from Microsoft to Bloomberg explains that "There is no evidence of this technique being exploited by malicious actors." Microsoft adds that it is "not aware of any customer data being accessed because of this vulnerability."

Wiz received $40,000 from Microsoft for discovering the vulnerability, according to Reuters.

Microsoft has had a series of security issues of late, including the PrintNightmare vulnerabilities and the attack on its Exchange servers.

CATEGORIES
Sean Endicott
News Writer and apps editor

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.