Researchers from security firm Wiz have gained access to thousands of Microsoft Azure customer databases, demonstrating a major security flaw.
Microsoft Azure is currently the second largest cloud platform, behind AWS. As a result, companies the world over, large and small, rely on the platform for mission-critical operations.
According to Wiz, the issue impacts Azures flagship database, Cosmos DB.
A series of flaws in a Cosmos DB feature created a loophole allowing any user to download, delete or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB.
We named this vulnerability #ChaosDB. Exploiting it was trivial and required no other credentials.
The flaw revolves around the Jupyter Notebook feature that Microsoft added in 2019. A misconfiguration in the notebook allows an attacker to escalate privileges and access other notebooks, the primary keys and eventually the entire database.
Every Cosmos DB account that uses the notebook feature, or that was created after January 2021, is potentially at risk. Starting this February, every newly created Cosmos DB account had the notebook feature enabled by default and their Primary Key could have been exposed even if the customer was not aware of it and never used the feature.
Microsoft has already begun warning customers, although it’s unclear to what extent. Wiz told The Register it believes Microsoft has only warned roughly 30% of impacted users, while Microsoft is saying all those affected have been notified.
Whatever the case, this is a devastating issue for Microsoft, coming on the heels of other widespread vulnerabilities.