Microsoft Azure: Researchers urge users to change digital access keys immediately, here’s why

By: |
Updated: August 30, 2021 4:20 PM

Microsoft fixed the configuration mistake that would allow any Cosmos user to access another’s database after being alerted by Wiz.

microsoft azureWiz said it received close support from Microsoft on the research. (Photo credit: Reuters)

All users of Microsoft’s Azure should change their digital access keys and not just the 3,300 who have been notified, researchers who discovered the flaw in the cloud platform’s main database said.

Researchers at Wiz, a cloud security company, found that the primary digital keys for most users of Cosmos DB database could be easily accessed, allowing anyone to change, steal, or even delete millions of records.

Microsoft fixed the configuration mistake that would allow any Cosmos user to access another’s database after being alerted by Wiz. The tech giant then alerted some users to change their keys.

Microsoft said in a blog post that it had issued alerts to customers who had set up access to Cosmos during the research window. However, it found that no attacker had used the flaw to access customer data.

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, however, used much stronger language and made it clear that it was speaking to everyone with an account and not just the ones notified.

It encouraged customers of Azure Cosmos DB to regenerate their certificate key, which the experts at Wiz also agreed with.

Wiz Chief Technology Officer Ami Luttwak, who developed tools to log cloud security incidents at Microsoft during his time there, said it would be hard for the company to fully rule out someone using this before.

Microsoft, however, did not directly answer if it had maintained comprehensive logs for the two-year period during which the Jupyter Notebook feature was misconfigured or used any other way to rule out abuse.

Wiz said it received close support from Microsoft on the research. However, it refused to answer how it could be certain that earlier customers were safe.

One of Wiz’s lead researchers, Sagi Tzadik, said it was terrifying and hoped no one else found the bug.

Get live Stock Prices from BSE, NSE, US Market and latest NAV, portfolio of Mutual Funds, Check out latest IPO News, Best Performing IPOs, calculate your tax by Income Tax Calculator, know market’s Top Gainers, Top Losers & Best Equity Funds. Like us on Facebook and follow us on Twitter.

Financial Express is now on Telegram. Click here to join our channel and stay updated with the latest Biz news and updates.

Next Stories
1Know your customer: The fast lane to digital adoption
2Vivo-Zeiss Partnership: Just what the photographer needed
3HP ProBook 635 Aero G7: Plenty of power in a slim package