Thousands of clients of Microsoft’s cloud were exposed to attack for two years
Wiz co-founder Ami Luttwak says researchers discovered the vulnerability while managing security for some of its own Fortune 500 clients
27 August 2021 - 15:04
byKartikay Mehrotra
Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
A vulnerability in Microsoft’s cloud database system left data at thousands of clients exposed to potential cyberattacks for about two years, according to the Israeli cybersecurity firm that discovered the bug.
More than 3,300 of the software giant’s customers were exposed to a flaw in its Azure Cosmos DB database product that could have granted a malicious actor access keys to steal, edit or delete sensitive data, according to researchers at the Tel Aviv-based Wiz.io. Wiz’s co-founder and chief technology officer Ami Luttwak says his team of researchers discovered the vulnerability on August 9 while managing security for some of its own Fortune 500 clients.
Reuters reported earlier that Microsoft had warned thousands of its Azure customers on Thursday about the security flaw. In an email to clients that was reviewed by Bloomberg News, the software firm asked network administrators to take four steps to protect their Cosmos databases, including generating new digital keys used to securely access those systems.
Microsoft says they’ve since fixed the vulnerability. “There is no evidence of this technique being exploited by malicious actors,” the company said in an emailed statement. “We are not aware of any customer data being accessed because of this vulnerability.”
The Wiz researchers found that the vulnerability existed since mid-2019, when Microsoft added a new feature to Cosmos DB called Jupyter Notebooks. The add-on allows database managers to insert lines of code so they can visualise and interact with their data. The feature had to be toggled on by users until February 2021, when Microsoft activated Jupyter Notebooks by default.
“If I’m a customer using the cloud database, my biggest fear is someone accessing my data without me knowing,” said Wiz’s Luttwak. “And that’s what this vulnerability would have done, if not corrected.”
Cosmos DB counts companies including ExxonMobil, Coca-Cola and Citrix Systems as clients, according to Microsoft’s website for the service. In a customer testimonial on the site, the Walgreens pharmacy chain says it processes more than 6-million prescriptions a day and the company uses Azure Cosmos DB to run “microservices that its prescription transactions rely on”.
Bloomberg News. More stories like this are available on bloomberg.com
Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
Thousands of clients of Microsoft’s cloud were exposed to attack for two years
Wiz co-founder Ami Luttwak says researchers discovered the vulnerability while managing security for some of its own Fortune 500 clients
A vulnerability in Microsoft’s cloud database system left data at thousands of clients exposed to potential cyberattacks for about two years, according to the Israeli cybersecurity firm that discovered the bug.
More than 3,300 of the software giant’s customers were exposed to a flaw in its Azure Cosmos DB database product that could have granted a malicious actor access keys to steal, edit or delete sensitive data, according to researchers at the Tel Aviv-based Wiz.io. Wiz’s co-founder and chief technology officer Ami Luttwak says his team of researchers discovered the vulnerability on August 9 while managing security for some of its own Fortune 500 clients.
Reuters reported earlier that Microsoft had warned thousands of its Azure customers on Thursday about the security flaw. In an email to clients that was reviewed by Bloomberg News, the software firm asked network administrators to take four steps to protect their Cosmos databases, including generating new digital keys used to securely access those systems.
Microsoft says they’ve since fixed the vulnerability. “There is no evidence of this technique being exploited by malicious actors,” the company said in an emailed statement. “We are not aware of any customer data being accessed because of this vulnerability.”
The Wiz researchers found that the vulnerability existed since mid-2019, when Microsoft added a new feature to Cosmos DB called Jupyter Notebooks. The add-on allows database managers to insert lines of code so they can visualise and interact with their data. The feature had to be toggled on by users until February 2021, when Microsoft activated Jupyter Notebooks by default.
“If I’m a customer using the cloud database, my biggest fear is someone accessing my data without me knowing,” said Wiz’s Luttwak. “And that’s what this vulnerability would have done, if not corrected.”
Cosmos DB counts companies including ExxonMobil, Coca-Cola and Citrix Systems as clients, according to Microsoft’s website for the service. In a customer testimonial on the site, the Walgreens pharmacy chain says it processes more than 6-million prescriptions a day and the company uses Azure Cosmos DB to run “microservices that its prescription transactions rely on”.
Bloomberg News. More stories like this are available on bloomberg.com
Teraco to spend R6bn on data-centre expansion
SoftBank pauses China investing as crackdown roils portfolio
Chinese hackers ‘gained total control’ of telecom companies
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.
Most Read
Related Articles
MacKenzie Scott and Melinda French Gates donate $40m to gender equality groups
Microsoft beats estimates as Azure sales soar 51%
Mark Zuckerberg talks up virtual ‘Metaverse’
Published by Arena Holdings and distributed with the Financial Mail on the last Thursday of every month except December and January.