Microsoft has warned thousands of Azure cloud computing customers, including several Fortune 500 companies, of a weakness that has left their data completely exposed over the past two years.
Microsoft’s Azure Cosmos DB database failure has left more than 3,300 Azure customers fully exposed to potential attackers since the year 2019, when Microsoft added a new data visualization feature called Jupyter Notebook to Cosmos DB. The feature was enabled by default for all Cosmos databases in February 2021.
“This is the worst weakness of the cloud that anyone can imagine,” said Ami Luttwak, chief technology officer at Wiz, the security company that discovered the problem. “This is Azure’s central database, and we were able to gain access to any other customer database.”
Despite the seriousness and risks presented, Microsoft saw no evidence of the weakness that led to illicit access to data. “There is no evidence that this technique is being exploited by malicious actors,” Microsoft told Bloomberg in an email statement. “We are not aware of any customer data that has been accessed because of this weakness.” Microsoft paid Wiz $40,000 for the discovery, according to Reuters.
According to a detailed post on the Wiz blog, the weakness introduced by the Jupyter Notebook allowed the company’s researchers to gain access to the primary keys that protected the Cosmos DB databases for Microsoft customers. With these keys, Wiz had full read, write, and even delete access to data for several thousand Microsoft Azure customers.
Wiz says it discovered the issue two weeks ago and Microsoft disabled the tool 48 hours after Wiz reported it. However, Microsoft cannot change its customers’ primary access keys and that is why the company has emailed Cosmos DB customers to manually change their keys in order to try to reduce exposure due to this weakness .