SECURITY
SECURITY
SECURITY
Vulnerability in Microsoft Azure Cosmos DB may have exposed customer data to hackers
Microsoft Corp. has warned cloud customers that hackers may have potentially accessed their data via an exploitable vulnerability in its Azure cloud service.
Reuters first reported the news today, but the discovery of the vulnerability came from researchers at Wiz Inc. The vulnerability is in Microsoft Azure’s Cosmos DB product and isn’t that hard to access.
The Wiz researchers discovered they could get access to keys that control access to thousands of companies. With those keys, they then had unfiltered access. Some of the customers include Coca-Cola Co., Exxon-Mobil Corp. and Citrix Systems Inc., among others.
“Database exposures have become alarmingly common in recent years as more companies move to the cloud and the culprit is usually a misconfiguration in the customer’s environment,” the Wiz researchers noted. “In this case, customers were not at fault.”
The issue lies with Microsoft and a series of flaws in an Azure Cosmos DB feature that creates a loophole, allowing any user to own, delete or manipulate commercial databases. In addition, the flaws also provide read/write access to the underlying architecture of Cosmos DB.
The Wiz researchers have dubbed the vulnerability as #ChaosDB. They add that “exploiting it was trivial and required no other credentials.”
Microsoft cannot change customer keys by itself, with Reuters noting that the company emailed customers today telling them to create new keys. “We fixed this issue immediately to keep our customers safe and protected,” a Microsoft spokesperson said in a statement. “We thank the security researchers for working under coordinated vulnerability disclosure.”
That thanks included a payment to Wiz of $40,000 for finding the vulnerability and reporting it.
Vulnerabilities often appear to be a dime a dozen nearly every single day. This Cosmos DB vulnerability, however, is severe.
“This is the worst cloud vulnerability you can imagine,” Wiz Chief Technology Officer Ami Luttwak told Reuters. “It is a long-lasting secret. This is the central database of Azure and we were able to get access to any customer database that we wanted.”
Noting that Microsoft has emailed some customers, the researchers at Wiz added that “we believe many more Cosmos DB customers may be at risk.” The vulnerability is said to have been exploitable for at least several months or possibly years.
Image: Microsoft
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
