On Saturday, researchers discovered a huge flaw in the main database stored in Microsoft’s Azure cloud platform. They urged all users to change their digital access keys, not just the 3,300 notified this week.
As Reuters first reported, researchers from a cloud security company called Wiz discovered this month that they can access the main digital keys of most users of the Cosmos DB database system, allowing them to steal, change, or delete data. Millions of records.
At Wiz’s reminder, Microsoft quickly fixed a configuration error that would allow any Cosmos user to easily access other customers’ databases, and then notify some users to change their keys on Thursday.
Microsoft said in a blog post on Friday that it warned customers who set up Cosmos access during the week-long study. It pointed out that it did not find any evidence of attackers using the same flaw to access customer data.
Microsoft wrote: “Our investigation shows that there is no unauthorized access other than the activities of the researchers.” “Notifications have been sent to all customers who may be affected by the activities of the researchers,” it said. Refers to the possibility of the technology leaking from Wiz.
“Although there is no access to customer data, it is recommended that you regenerate the master read and write keys,” it said.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency used stronger language in Friday’s announcement, making it clear that it does not only target the person being notified.
“CISA strongly encourages Azure Cosmos DB customers to roll over and regenerate their certificate keys,” the agency said.
The Wiz expert, founded by four veterans of Azure’s internal security team, agreed.
“In my opinion, if it is not impossible, it is really difficult for them to completely rule out that someone has used it before,” said Ami Luttwak, Wiz’s chief technology officer, one of the four. At Microsoft, he developed tools to record cloud security incidents.
When asked whether there is a complete two-year log when the Jupyter Notebook function is misconfigured, Microsoft did not answer directly, or whether it used other methods to exclude access abuse.
“We expanded the search beyond the activities of researchers to find all possible activities of current and past similar events,” spokesperson Ross Richendrfer said, refusing to answer other questions.
Wiz said that Microsoft worked closely with it in research, but declined to say how to ensure that early customers are safe.
“This is horrible. I really hope that no one but us discovered this error,” said Sagi Tzadik, one of the main researchers of the Wiz project.
© Thomson Reuters 2021