Microsoft reported hack of Azure cloud service: 'worst imaginable'
Microsoft has warned thousands of its Azure cloud customers, including many Fortune 500 companies, about a vulnerability that has left their data fully exposed for the past two years.
A flaw in Microsoft's Azure Cosmos DB database code has left more than 3,300 Azure customers open to full unrestricted access by attackers. The vulnerability surfaced in 2019 when Microsoft added a data visualization feature called Jupyter Notebook to Cosmos DB. The feature was enabled by default for all Cosmos DB databases in February 2021.
Azure Cosmos DB customer list includes companies such as Coca Cola, Liberty Mutual Insurance, ExxonMobil, Walgreens and others.
"This is the worst cloud vulnerability imaginable," said Ami Luttwak, CTO of Wiz, the security company that discovered the problem. "It's a central Azure database, and we were able to access any customer database we wanted."
Despite the severity and risk, Microsoft found no evidence that the vulnerability led to illegal access to the data. "There is no evidence that this technique was used by attackers," Microsoft said in a statement emailed to Bloomberg. "We are not aware of any instances of customer data being accessed because of this vulnerability."
According to Reuters, Microsoft paid Wiz $40,000 for the discovery.
detailed post on Wiz's blog says the vulnerability introduced in the Jupyter Notebook allowed the company's researchers to access primary keys that secure Cosmos DB databases for Microsoft customers. Using these keys, Wiz gained full read/write/delete access to the data of several thousand Microsoft Azure customers.