...

Microsoft Azure flaw left thousands of cloud customers' data vulnerable




  • In Business
  • 2021-08-27 11:40:27Z
  • By Engadget
 

A vulnerability in Microsoft's Azure cloud computing service left several thousand customers susceptible to cyberattacks. The tech giant has warned its clients of the flaw in its flagship database service Cosmos DB after it was discovered and reported by security company Wiz. In the blog post Wiz has published, it said it was able to use the vulnerability, which it has named "ChaosDB," to gain "complete unrestricted access to the accounts and databases" of thousands of Azure clients.

Azure customers, including Fortune 500 companies such as Coca-Cola and Exxon-Mobil, use Cosmos DB to manage the massive amounts of data they get in real time. The company explained that it found a series of flaws in the Cosmos DB feature called Jupyter Notebook that gives customers a way to visualize their data. That feature has been around since 2019, but it was switched on for all Cosmos DB customers just this past February. Wiz said that a series of misconfigurations in the notebook created a loophole, which allows any user "to download, delete or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB." 

While the security company praised Microsoft for disabling the notebook within 48 hours after it was alerted about the issue and for notifying around 30 percent of its customers, it warned that more clients may be at risk. Microsoft only notified the customers that were affected during Wiz's week-long research period this early August. However, the security firm believes the vulnerability has been exploitable for months, possibly even years. It's now advising Azure customers to rotate and regenerate their access keys even if they didn't get an email from Microsoft. That said, the tech giant said it found no evidence that the flaw has been exploited. It told the customers it emailed that there's no "indication that external entities outside the researcher (Wiz) had access to the primary read-write key

As Reuters notes, this is the latest in a series of bad security news for Microsoft over the past year. In February, the tech giant has revealed that the SolarWinds hackers accessed and downloaded source code for Azure, its cloud-based management solution Intune and its mail and calendar server Exchange. The Chinese Hafnium hacking group also exploited a vulnerability in Exchange to infiltrate at least 30,000 organizations around the world, including police departments, hospitals and banks.

COMMENTS

More Related News

Forget fourth stimulus - these stocks offer income checks growing as fast as 11%
Forget fourth stimulus - these stocks offer income checks growing as fast as 11%

Nail down a growing income stream with these big-name blue chips.

Microsoft Plans to Buy Back Up to $60 Billion in Stock
Microsoft Plans to Buy Back Up to $60 Billion in Stock

(Bloomberg) -- Microsoft Corp., the world's largest software maker, has launched what could be its largest ever stock-repurchase program of as much as $60...

President Biden is set to meet with execs from Disney, Microsoft, and Walgreens to discuss his vaccine mandate plans, a report says
President Biden is set to meet with execs from Disney, Microsoft, and Walgreens to discuss his vaccine mandate plans, a report says

Biden will meet the execs at the White House on Wednesday, the WSJ reported. He plans to mandate vaccines, or weekly testing, at all large companies.

Microsoft issues patch for zero-day exploit that uses malicious Office files
Microsoft issues patch for zero-day exploit that uses malicious Office files

Microsoft has fixed the vulnerability being actively exploited by hackers using malicious Office files.

Microsoft Unveils $60 Billion Buyback; Smith Is Named Vice Chair
Microsoft Unveils $60 Billion Buyback; Smith Is Named Vice Chair

(Bloomberg) -- Microsoft Corp., the world's largest software maker, appointed President and Chief Legal Officer Brad Smith as vice chair and unveiled a new...

Leave a Comment

Your email address will not be published. Required fields are marked with *

Cancel reply

Comments

Top News: Business