Cloud security company claims Microsoft Azure flaw left thousands of customers exposed
Wiz said it was able to gain access to the primary keys of Cosmos DB customers
Cybersecurity firm Wiz claims it was able to gain access to the accounts and databases of thousands of Microsoft Azure customers, which includes some of the world's biggest companies.
In a detailed blog post, Wiz said this was done through accessing the primary keys of Cosmos DB customers by exploiting a feature called Jupyter Notebook, which was first added in 2019. This then allowed its security team to access all the data stored in those accounts, it claims.
It goes on to add that the issue has been exploitable "for at least several months, possibly years".
In response, Microsoft told the Reuters news agency: "We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure."
"This is the worst cloud vulnerability you can imagine. It is a long-lasting secret," Wiz's chief technology officer Ami Luttwak told Reuters.
"This is the central database of Azure, and we were able to get access to any customer database that we wanted."
Reuters said that Microsoft has emailed its customers telling them to create new keys because it cannot not do it itself, but that it also claimed there was "no indication that external entities outside the researcher (Wiz) had access to the primary read-write key".
"Microsoft's Security Team deserves enormous credit for taking immediate action to address the problem. We rarely see security teams move so fast," Wiz said in the blog post.
"They disabled the vulnerable notebook feature within 48 hours after we reported it. It's still turned off for all customers pending a security redesign.
"However, customers may still be impacted since their primary access keys were potentially exposed. These are long-lived secrets and in the event of a breach, an attacker could use the key to exfiltrate databases."
It added that any Cosmos DB account which uses the notebook feature or that was created after February 2021 has been potentially exposed, and urges them to follow these steps.