Microsoft has suffered a second major data scare of this week. Following a PowerApps leak that exposed 38 million private records, a Microsoft Azure bug has allowed data to be available online. In fact, this vulnerability means data has been exposed for as much as two years.
Security firm Wiz discovered and disclosed the problem, which is found in Microsoft Azure Cosmos DB. Specifically, the data of over 3,300 customers is open and available online without restriction. Threat actors could access this information and use it in a cyberattack.
Azure Cosmos DB was announced at Build 2017. It is a cloud database service is a brand-new platform created from the ground up. It allows customers to power planet-scale cloud services and huge data applications. Microsoft describes Cosmos DB as a first of its kind service with guaranteed uptime, consistency, throughput, and latency at the 99th percentile.
Ami Luttwak, chief tech officer for Wiz, says the danger of this leak should not be underestimated.
“This is the worst cloud vulnerability you can imagine. This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
The issues comes from the Jupyter Notebook feature that Microsoft added to Azure Cosmos DB in 2019. While this tool allows users to create custom views of their data, misconfigurations allow attackers to exploit Jupyter Notebook to access customer data.
This has been possible since 2019, but the problem is worse now because Microsoft made Jupyter Notebook an automatic feature earlier this year. Wiz was able to leverage the vulnerability to gain access to Azure Cosmos DB and access user read, delete, and write permissions.
Wiz informed Microsoft two weeks ago and the company issued a patch. However, the company is going public because Microsoft is unable to change the access keys of customers. Users must know to manually change the keys to avoid the vulnerability.
Microsoft has already informed around 30% of its Cosmos DB clients but Wiz wants a public disclosure to help more customers. Speaking to Bloomberg, Microsoft says “There is no evidence of this technique being exploited by malicious actors.”
The company paid Wiz $40,000 for discovering the flaw.