Microsoft Azure flaw exposed 'thousands' of customer databases

Security research Wiz describes Cosmos flaw as "the worst cloud vulnerability you can imagine"

Microsoft has warned thousands of its Azure cloud customers that their main databases have been compromised.

The impacted customers included some of the world's largest companies, according to cyber security researcher Wiz

The vulnerability is in Microsoft's Azure Cosmos database and allows intruders to read, change and even delete customer information, according to Wiz. The researchers were able to find keys that control access to databases held by "thousands" of companies.

The chief technology officer of Wiz, Ami Luttwak, is former CTO of Microsoft's Cloud Security Group. Her team found the exploit, dubbed 'ChaosDB', on 9 August and notified Microsoft on 12 August. 

"This is the worst cloud vulnerability you can imagine. It is a long-lasting secret," Luttwak told Reuters. "This is the central database of Azure, and we were able to get access to any customer database that we wanted."

IT Pro has approached Microsoft for comment, but it seems that it cannot change the access keys by itself, according to emails sent by the company to Wiz. The tech giant has reportedly agreed to pay the security researchers $40,000 for finding the flaw and reporting it.

In the email to customers, Microsoft said it has fixed the vulnerability, adding that there was no evidence the flaw had been exploited: "We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key," it said. 

This latest disclosure comes just a few months after the SolarWinds hack, where actors suspected to be working for the Russian government stole Microsoft's source code and caused breaches and issues around the world.

Exchange email flaws were still cropping up last week, with the US government sending out a warning that customers needed to instal patches that were issued months ago because ransomware gangs were now exploiting them. 

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021