Researchers who discovered a massive flaw in the main databases stored in Microsoft Corp’s Azure cloud platform urged all users to change their digital access keys, not just the 3,300 it was notified last week.
Earlier this month, researchers at a cloud security company called Wiz discovered they could have gained access to the primary digital keys for most users of the Cosmos DB database system, allowing them to steal, change or delete millions of records.
Alerted by Wiz, Microsoft rapidly fixed the configuration mistake that would have made it easy for any Cosmos user to get into other customers’ databases, then notified some users on Thursday to change their keys.
In a blog post, Microsoft said it warned customers which had set up Cosmos access during the weeklong research period. It found no evidence that any attackers had used the same flaw to get into customer data, it noted.
“Our investigation shows no unauthorised access other than the researcher activity,” Microsoft wrote. “Notifications have been sent to all customers that could be potentially affected due to researcher activity,” it said, perhaps referring to the chance that the technique had leaked from Wiz.
“Though no customer data was accessed, it is recommended you regenerate your primary read-write keys,” it said.
Also Read: Is It Time To Ring The Cyber Alarm Bell?
Last Thursday, Microsoft warned thousands of its cloud computing customers, including some of the world’s largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher.
The vulnerability is in Microsoft Azure’s flagship Cosmos DB database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. Wiz Chief Technology Officer Ami Luttwak is a former chief technology officer at Microsoft’s Cloud Security Group.
Because Microsoft cannot change those keys by itself, it emailed the customers on Thursday telling them to create new ones. Microsoft agreed to pay Wiz $40,000 for finding the flaw and reporting it.
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said: “CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate key.”
Experts at Wiz agreed. “In my estimation, it’s really hard for them, if not impossible, to completely rule out that someone used this before,” said Wiz Chief Technology Officer Ami Luttwak.
Wiz said Microsoft had worked closely with it on the research but had declined to say how it could be sure earlier customers were safe.
(With inputs from agencies)
