On Thursday, in an email to thousands of its cloud computing customers, Microsoft warned that hackers could easily access their Azure databases. The attackers can gain the ability to read, change or even delete the main databases.
“This is the worst cloud vulnerability you can imagine. It is a long-lasting secret,” Luttwak, Wiz Chief Technology Officer and a former chief technology officer at Microsoft’s Cloud Security Group, told Reuters. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
The vulnerability was discovered in Microsoft’s Cosmos DB database. More specifically, the flaw pertains to a popular visualization tool known as Jupyter Notebook, which is enabled by default. The flaw could allow a hacker to gain full controll over sensitive information stored in the database.
Luttwak’s team dubbed the issue ChaosDB. It was found on Aug. 9 and reported to Microsoft Aug. 12. Microsoft will pay Wiz $40,000 for finding the flaw and discretely reporting it.
Wiz’s researchers discovered they were able to access keys that control access to databases of thousands of companies.
Because the keys can’t be changed by Microsoft, the tech giant advised the customers to create new ones.
“We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure,” Microsoft told Reuters.
In an email to customers, Microsoft said it did not find evidence that the flaw had been exploited. “We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key,” the company assured.
Microsoft told Reuters that “customers who may have been impacted received a notification from us.”
However, Wiz experts believe that even customers who were not notified by Microsoft about the issue could have had their keys stolen by attackers and should change them immediately.