SAN FRANCISCO, Aug.26 (Reuters) – Microsoft (MSFT.O) on Thursday warned thousands of its cloud computing customers, including some of the world’s largest companies, that intruders may have the ability to read, modify or even delete their main databases, according to a copy of the email and a cybersecurity researcher.
The vulnerability is in Microsoft Azure’s flagship Cosmos DB database. A research team from security firm Wiz found it was able to access the keys that control access to databases owned by thousands of companies. Wiz CTO Ami Luttwak is a former CTO of Microsoft’s Cloud Security Group.
Since Microsoft can’t change these keys on its own, it emailed customers on Thursday asking them to create new ones. Microsoft agreed to pay Wiz $ 40,000 for finding and reporting the flaw, according to an email it sent to Wiz.
“We resolved this issue immediately to keep our customers safe and secure. We thank the security researchers for working on coordinated vulnerability disclosure,” Microsoft told Reuters.
Microsoft’s email to customers stated that there was no evidence that the flaw had been exploited. âWe have no indication that external entities outside of the researcher (Wiz) had access to the primary read-write key,â the email read.
âThis is the worst cloud vulnerability you can imagine. It’s a long-standing secret, âLuttwak told Reuters. âThis is Azure’s central database, and we were able to access any customer database we wanted. “
The Luttwak team discovered the issue, dubbed ChaosDB, on August 9 and notified Microsoft on August 12, Luttwak said.
The flaw was in a viewing tool called Jupyter Notebook, which has been available for years but enabled by default in Cosmos starting in February. After Reuters reported the flaw, Wiz detailed the problem in a blog post.
Luttwak said even customers who were not notified by Microsoft could have their keys hacked by attackers, giving them access until those keys are changed. Microsoft only indicated to customers whose keys were visible this month, when Wiz was working on the issue.
Microsoft told Reuters that “customers who may have been affected have received a notification from us,” without giving further details.
The disclosure comes after months of bad security news for Microsoft. The company was raped by the same suspected Russian government hackers who infiltrated SolarWinds, who stole Microsoft’s source code. Then, a large number of hackers broke into Exchange mail servers while a fix was in development.
A recent fix for a printer flaw that allowed computer takeovers had to be redone several times. Another Exchange flaw last week caused a urgent warning from the US government that customers need to install patches released months ago because ransomware gangs are now exploiting them.
The issues with Azure are particularly troubling, as Microsoft and external security experts have pushed companies to ditch most of their own infrastructure and rely on the cloud for added security.
But although cloud attacks are rarer, they can be more devastating when they do occur. In addition, some are never publicized.
A federally contracted research lab tracks all known security vulnerabilities in software and evaluates them by severity. But there is no equivalent system for vulnerabilities in the cloud architecture, so many critical vulnerabilities are not disclosed to users, Luttwak said.
Reporting by Joseph Menn; Editing by William Mallard
Our standards: Thomson Reuters Trust Principles.