In an email to its customers, Microsoft admitted to the security flaw in Microsoft Azure’s flagship Cosmos DB database. The vulnerability first introduced in 2019 when Microsoft added a data visualization feature called Jupyter Notebook. This feature was then turned on by default for all Cosmos DB users in February 2021. “We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure,” Microsoft told Reuters. The company also paid Wiz $40,000 for finding the flaw and reporting it. Customers of Microsoft Azure Cosmos DB include companies like Coca-Cola, Skype, Rolls-Royce, and Bentley, according to Microsoft’s own list.
No Proof of Malicious Activity–Microsoft
Microsoft claims that there has been no proof of the security flaw being exploited by malicious actors. “We are not aware of any customer data being accessed because of this vulnerability,” it said in an email. However, Wiz Chief Technology Officer Ami Luttwak insists that “this is the worst cloud vulnerability you can imagine.” “This is the central database of Azure, and we were able to get access to any customer database that we wanted,” he added. Luttwak’s team discovered the vulnerability on August 9. The report on their website details how they were able to spot the security flaw. “A series of misconfigurations in the [Jupyter] notebook feature opened up a new attack vector we were able to exploit,” the report stated. “In short, the notebook container allowed for a privilege escalation into other customer notebooks.” “Next, after harvesting the Cosmos DB secrets, we showed that an attacker can leverage these keys for full admin access to all the data stored in the affected Cosmos DB accounts,” it added. “We exfiltrated the keys to gain long-term access to the customer assets and data. We could then control the customer Cosmos DB directly from the internet, with full read/write/delete permissions.”
Microsoft Suffers Several Security Issues
The “CosmoDB” security flaw is the latest in a series of security issues for tech giant Microsoft. Earlier this month, a misconfiguration in Microsoft Power Apps resulted in multiple data leaks, resulting in about 38 million records left publicly accessible for months. The Microsoft Exchange Server mass hack in March involved at least ten hacking organizations exploiting Exchange servers without the need for valid account credentials. In December 2020, the company admitted to hackers infiltrating their systems and viewing parts of the source codes of its Azure cloud programs, Exchange email programs, and Intune management for mobile devices and applications. For information on keeping your data secure while browsing online, read our guide here.