News Update

Microsoft warns thousands of cloud customers of exposed databases

• ByAyushi Ray     |    August 27, 2021

Microsoft warns thousands of cloud customers of exposed databases that intruders might have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher.The vulnerability is in Microsoft Azure’s flagship Cosmos DB database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. Wiz Chief Technology Officer Ami Luttwak is a former chief technology officer at Microsoft’s Cloud Security Group. Because Microsoft cannot change those keys by itself, it emailed the customers Thursday telling them to create new ones. Microsoft agreed to pay Wiz $40,000 for finding the flaw and reporting it, according to an email it sent to Wiz.

Microsoft informed its customers through email, and also added that the vulnerability has been fixed, and that there was no evidence the flaw had been exploited. ”We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key,” the email said.This is the worst cloud vulnerability you can imagine. It is a long-lasting secret, Luttwak told Reuters. This is the central database of Azure, and we were able to get access to any customer database that we wanted. Luttwak’s team found the problem, dubbed ChaosDB, on Aug. 9 and notified Microsoft Aug. 12, Luttwak said. The flaw was in a visualization tool called Jupyter Notebook, which has been available for years but was enabled by default in Cosmos beginning in February. After Reuters reported on the flaw, Wiz detailed the issue databases in a blog post.

Follow Startup Story