All users of Microsoft’s Azure should change their digital access keys and not just the 3,300 who have been notified, researchers who discovered the flaw in the cloud platform’s main database said.
Researchers at Wiz, a cloud security company, found that the primary digital keys for most users of Cosmos DB database could be easily accessed, allowing anyone to change, steal, or even delete millions of records.
Microsoft fixed the configuration mistake that would allow any Cosmos user to access another’s database after being alerted by Wiz. The tech giant then alerted some users to change their keys.
Microsoft said in a blog post that it had issued alerts to customers who had set up access to Cosmos during the research window. However, it found that no attacker had used the flaw to access customer data.
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, however, used much stronger language and made it clear that it was speaking to everyone with an account and not just the ones notified.
It encouraged customers of Azure Cosmos DB to regenerate their certificate key, which the experts at Wiz also agreed with.
Wiz Chief Technology Officer Ami Luttwak, who developed tools to log cloud security incidents at Microsoft during his time there, said it would be hard for the company to fully rule out someone using this before.
Microsoft, however, did not directly answer if it had maintained comprehensive logs for the two-year period during which the Jupyter Notebook feature was misconfigured or used any other way to rule out abuse.
Wiz said it received close support from Microsoft on the research. However, it refused to answer how it could be certain that earlier customers were safe.
One of Wiz’s lead researchers, Sagi Tzadik, said it was terrifying and hoped no one else found the bug.
