Microsoft Azure vulnerability exposed data of thousands of companies, potentially for years

News
By published

Researchers gained full access to data from Fortune 500 companies utilizing a flaw in Microsoft Azure.

Microsoft Azure Hero 4
Microsoft Azure Hero 4 (Image credit: Microsoft)

What you need to know

  • A vulnerability in Microsoft Azure left data from several Fortune 500 companies exposed.
  • It's believed that the vulnerability has been exploitable for several months and potentially years.
  • Microsoft has addressed the issue, though some organizations may need to take further action to mitigate the vulnerability.

Azure Cosmos DB is a database service for modern app development. Microsoft lists major customers of Azure Cosmos DB on its website, including Coca-Cola, Citrix, ExxonMobil, Liberty Mutual Insurance, and Albertsons-Safeway. Microsoft's Skype also uses Azure Cosmos DB.

Wiz discovered the vulnerability (via The Verge). Its chief technology officer, Ami Luttwak, said, "This is the worst cloud vulnerability you can imagine. This is the central database of Azure, and we were able to get access to any customer database that we wanted."

Microsoft added a feature called Jupyter Notebook to Cosmos DB in 2019. The feature lets people visualize data and create custom views. It was automatically enabled for all Cosmos DBs in February 2021. Due to a series of misconfigurations, Wiz was able to exploit Jupyter Notebook to gain privileged access to the primary keys of customers' Cosmos DBs. With the keys, Wiz gained full access to DBs with read, write, and delete permissions.

The issue was discovered two weeks ago, and Microsoft fixed it within 48 hours of Wiz reporting it. Because Microsoft can't change the primary access keys of customers, it had to tell customers to manually change keys, which mitigates exposure from the vulnerability.

Microsoft informed the 30% of its Cosmos DB customers that were affected by Wiz's research. Wiz believes that the vulnerability has been exploitable for at least several months, but that it could have been exploited for years.

While the security implications of the vulnerability are serious, Microsoft claims that there isn't evidence that it's been used by attackers to gain data. A statement from Microsoft to Bloomberg explains that "There is no evidence of this technique being exploited by malicious actors." Microsoft adds that it is "not aware of any customer data being accessed because of this vulnerability."

Wiz received $40,000 from Microsoft for discovering the vulnerability, according to Reuters.

Microsoft has had a series of security issues of late, including the PrintNightmare vulnerabilities and the attack on its Exchange servers.

Sean Endicott
Sean Endicott
News Writer and apps editor

Sean Endicott is a news writer and apps editor for Windows Central with 11+ years of experience. A Nottingham Trent journalism graduate, Sean has covered the industry’s arc from the Lumia era to the launch of Windows 11 and generative AI. Having started at Thrifter, he uses his expertise in price tracking to help readers find genuine hardware value.

Beyond tech news, Sean is a UK sports media pioneer. In 2017, he became one of the first to stream via smartphone and is an expert in AP Capture systems. A tech-forward coach, he was named 2024 BAFA Youth Coach of the Year. He is focused on using technology—from AI to Clipchamp—to gain a practical edge.