The tech giant said that its investigation suggested that no customer data was accessed by third parties or security researchers by exploiting the vulnerability
Microsoft warns Azure cloud customers of exposed database. (Credit: Jiaqian AirplaneFan/Wikimedia Commons)
Microsoft has warned customers of its Azure cloud platform regarding a software vulnerability that left their data exposed for the last two years.
The security issue was discovered by a researcher of cybersecurity company Wiz and named #ChaosDB.
Over 3,300 Azure customers, that include various Fortune 500 companies, had their customer data exposed to complete unrestricted access by attackers following a flaw in the Azure Cosmos DB database product.
Some of the high-profile clients of Azure Cosmos DB include ExxonMobil, Coca-Cola, Walgreens, and Liberty Mutual Insurance.
The vulnerability is said to have been introduced in 2019 after Microsoft added the Jupyter Notebook data visualisation feature to Cosmos DB. By default, the feature was turned on for all Cosmos DBs in February 2021.
Wiz said that several misconfigurations in the notebook feature gave way for a new attack vector, which its team could exploit.
According to Microsoft, the vulnerability could let a user gain access to another customer’s resources by using the primary read-write key of the account.
Microsoft said that it has immediately mitigated the security flaw by removing the preview feature in the scope of the vulnerability for all customers.
Wiz chief technology officer Ami Luttwak said: “This is the worst cloud vulnerability you can imagine.
“This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
However, Microsoft said that its investigation suggested that no customer data was accessed by third parties or security researchers by taking advantage of the vulnerability. The tech giant said that it had informed the customers whose keys could have been affected during the researcher activity of Wiz to regenerate their keys.
Microsoft stated that other keys, which include the secondary read-write key, primary read-only key, and secondary read-only key were not found to be vulnerable.
Cosmos DB is used by businesses for managing huge amounts of data from various parts of the world in near real-time, said Wiz. It powers highly important business functions such as processing millions of prescription transactions or handling customer order flows on e-commerce sites.
Wiz said that a series of flaws in a Cosmos DB feature resulted in a loophole that would enable any user to download, delete, or manipulate a vast collection of commercial databases.