‘Unprecedented’ Microsoft Azure database vulnerability impacts thousands of customers, researchers warn
A series of flaws in Microsoft Azure’s Cosmos DB exposed the accounts and databases of thousands of the company’s corporate customers to “complete [and] unrestricted access,” researchers with security firm Wiz reported on Thursday, two weeks after notifying the company of the problem.
Microsoft warned customers about the problem in an email message Thursday, advising them to create new database access keys, and saying it had found no evidence that the flaw had been exploited, according to a report by Reuters. In a statement, the company credited the researchers for following responsible disclosure practices.
It’s the latest in a series of recent security issues in Microsoft technologies, including a high-profile Exchange Server hack earlier this year and another that prompted a U.S. government warning last week. The problems show that shoring up software vulnerabilities remains one of the keys to improving cybersecurity.
Microsoft CEO Satya Nadella was among the tech executives who participated in a White House cybersecurity summit with President Joe Biden this week, promising to quadruple its spending on cybersecurity over the next five years.
Wiz security researchers Nir Ohfeld and Sagi Tzadik, who dubbed the flaw “ChaosDB,” credited Microsoft for taking quick action to turn off the vulnerable feature within 48 hours of notification but cautioned that “customers may still be impacted since their primary access keys were potentially exposed.”
“Database exposures have become alarmingly common in recent years as more companies move to the cloud, and the culprit is usually a misconfiguration in the customer’s environment. In this case, customers were not at fault,” they wrote. “Rather, a series of flaws in a Cosmos DB feature created a loophole allowing any user to download, delete or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB.”
Microsoft said in a statement to Reuters that it “fixed this issue immediately to keep our customers safe and protected.”