Microsoft has issued warnings to thousands of its Azure cloud computing clients, including several Fortune 500 companies, about a vulnerability that has left their data totally exposed for the past two years.
A vulnerability in Microsoft’s Azure Cosmos DB database system allowed attackers total unfettered access to over 3,300 Azure customers. When Microsoft implemented a data visualization capability called Jupyter Notebook to Cosmos DB in 2019, it exposed the vulnerability. In February 2021, the feature was enabled by default for all Cosmos DBs.
“This is the worst cloud vulnerability you can imagine,” said Ami Luttwak, Chief Technology Officer of Wiz, the security company that discovered the issue. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
Despite the severity and risk, Microsoft has found no sign of the vulnerability leading to unauthorized data access. “There is no indication of this approach being used by hostile actors,” Microsoft said in an emailed statement to Bloomberg. “We have no information of any customer data being accessed as a result of this vulnerability.”
Wiz claims in a lengthy blog post that the Jupyter Notebook vulnerability allowed the company’s researchers to obtain access to the primary keys that safeguarded the Cosmos DB databases for Microsoft clients. Wiz had complete read/write/delete access to the data of thousands of Microsoft Azure users using these keys.