Microsoft warns thousands of cloud customers of exposed databases

More than 3,300 companies using Azure warned that their data has been completely exposed for the last two years, according to The Verge.

Microsoft warned thousands of its cloud computing customers, including many Fortune 500 companies like Coca Cola, Skype, Symantec, or even Finastra, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher.

Microsoft Azure cloud vulnerability is the ‘worst you can imagine” said Ami Luttwak, Chief Technology Officer of Wiz, the security company that discovered the issue. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”

The vulnerability was introduced in 2019 when Microsoft added a data visualization feature called Jupyter Notebook to Cosmos DB. The feature was turned on by default for all Cosmos DBs in February 2021.

In a detailed blog post, Wiz says that the vulnerability introduced by Jupyter Notebook allowed the company’s researchers to gain access to the primary keys that secured the Cosmos DB databases for Microsoft customers. With said keys, Wiz had full read / write / delete access to the data of several thousand Microsoft Azure customers.

Wiz says that it discovered the issue two weeks ago and Microsoft disabled the vulnerability within 48 hours of Wiz reporting it. However, Microsoft can’t change its customers’ primary access keys, which is why the company emailed Cosmos DB customers to manually change their keys in order to mitigate exposure.

Microsoft paid Wiz $40,000 for the discovery, according to Reuters.