Researchers who discovered a major flaw in key databases stored on Microsoft’s Azure cloud platform on Saturday asked all users to change their digital access keys, not just the 3,300 notified this week.
As first reported by Reuters, researchers at a cloud security company called Wiz discovered this month that they could have gained access to the primary digital keys for most users of the Cosmos DB database system, allowing them to steal, alter or delete millions of records.
Alerted by Wiz, Microsoft quickly fixed a configuration error that would make it easier for any Cosmos user to access other customers’ databases, then notified some users on Thursday to change their keys.
In a blog post on Friday, Microsoft said it alerted customers that they had set up access to Cosmos during the one-week research period. He found no evidence that any attacker used the same flaw to access customer data, he noted.
“Our investigation shows no unauthorized access other than researcher activity,” Microsoft wrote. “Notifications were sent to all clients who could potentially be affected due to the researcher’s activity,” he said, perhaps referring to the chance that the technique was leaked from the Wiz.
“Although no customer data has been accessed, it is recommended that you regenerate your primary read and write keys,” he said.
The US Department of Homeland Security’s Cyber Security and Infrastructure Agency used stronger language in a bulletin on Friday, making it clear that it wasn’t just targeting those notified.
“CISA strongly encourages Azure Cosmos DB customers to create and regenerate their certificate key,” the agency said.
The experts at Wiz, founded by four veterans of Azure’s internal security team, agreed.
“In my opinion, it’s really hard for them, if not impossible, to completely rule out that someone has used this before,” said one of the four, Wiz’s chief technology officer, Ami Luttwak. At Microsoft, he developed tools to log security incidents in the cloud.
Microsoft did not give a straight answer when asked if it had comprehensive records for the two years the Jupyter Notebook feature was misconfigured or if it used another way to rule out access abuse.
“We have expanded our search beyond the researcher’s activities to look for all possible activities for current and similar events in the past,” said spokesman Ross Richendrfer, declining to answer further questions.
Wiz said Microsoft worked closely with her on the research, but declined to say how she could be sure previous customers were safe.
“It’s scary. I really hope no one but us has found this bug,” said Sagi Tzadik, one of the project’s lead researchers at Wiz.
© Thomson Reuters 2021