...

Microsoft Azure flaw left thousands of cloud customers' data vulnerable




  • In Business
  • 2021-08-27 11:40:27Z
  • By Engadget
 

A vulnerability in Microsoft's Azure cloud computing service left several thousand customers susceptible to cyberattacks. The tech giant has warned its clients of the flaw in its flagship database service Cosmos DB after it was discovered and reported by security company Wiz. In the blog post Wiz has published, it said it was able to use the vulnerability, which it has named "ChaosDB," to gain "complete unrestricted access to the accounts and databases" of thousands of Azure clients.

Azure customers, including Fortune 500 companies such as Coca-Cola and Exxon-Mobil, use Cosmos DB to manage the massive amounts of data they get in real time. The company explained that it found a series of flaws in the Cosmos DB feature called Jupyter Notebook that gives customers a way to visualize their data. That feature has been around since 2019, but it was switched on for all Cosmos DB customers just this past February. Wiz said that a series of misconfigurations in the notebook created a loophole, which allows any user "to download, delete or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB." 

While the security company praised Microsoft for disabling the notebook within 48 hours after it was alerted about the issue and for notifying around 30 percent of its customers, it warned that more clients may be at risk. Microsoft only notified the customers that were affected during Wiz's week-long research period this early August. However, the security firm believes the vulnerability has been exploitable for months, possibly even years. It's now advising Azure customers to rotate and regenerate their access keys even if they didn't get an email from Microsoft. That said, the tech giant said it found no evidence that the flaw has been exploited. It told the customers it emailed that there's no "indication that external entities outside the researcher (Wiz) had access to the primary read-write key

As Reuters notes, this is the latest in a series of bad security news for Microsoft over the past year. In February, the tech giant has revealed that the SolarWinds hackers accessed and downloaded source code for Azure, its cloud-based management solution Intune and its mail and calendar server Exchange. The Chinese Hafnium hacking group also exploited a vulnerability in Exchange to infiltrate at least 30,000 organizations around the world, including police departments, hospitals and banks.

COMMENTS

More Related News

What to expect in Windows 11: Former Microsoft PM Kevin Stratvert on the new upgrade
What to expect in Windows 11: Former Microsoft PM Kevin Stratvert on the new upgrade

Come on, how much has really changed in Windows 11 vs. Windows 10? To paraphrase a certain Spinal Tap guitarist, is it really worthy of taking it up to...

NYC Office Market Revives With Tech Firms Hunting for Space
NYC Office Market Revives With Tech Firms Hunting for Space

(Bloomberg) -- New York's battered office market is drawing more interest from tech companies that are hungry for space even as the pandemic upends...

Engadget Podcast: Everything Microsoft Surface + iPhone 13, iPad Mini reviews
Engadget Podcast: Everything Microsoft Surface + iPhone 13, iPad Mini reviews

It's fall, and new gadget season has officially begun! This week, Cherlynn and Devindra dive into all of Microsoft's new hardware: The Surface Laptop Studio, Pro 8 and Duo 2. (RIP, Surface Book.)

Xbox gains new features with updated Edge browser
Xbox gains new features with updated Edge browser

With its September Xbox update, Microsoft has finally brought the Edge browser to Xbox Series X/S and Xbox One consoles.

Leave a Comment

Your email address will not be published. Required fields are marked with *

Cancel reply

Comments

Top News: Business