Researchers who discovered a massive flaw in major databases stored on Microsoft Corp’s Azure cloud platform on Saturday urged all users to change their digital access keys, not just the 3,300 they have. notified this week.
As first reported by Reuters, researchers at a cloud security company called Wiz this month discovered that they could have accessed master digital keys for most users of the Cosmos DB database system, allowing them to steal, modify or delete millions of records.
Alerted by Wiz, Microsoft quickly fixed the configuration error that would have allowed any Cosmos user to easily access other customers’ databases, then notified some users on Thursday to change their keys.
In a blog post on Friday, Microsoft said it warned customers who had configured access to Cosmos during the week-long research period. He found no evidence that attackers used the same flaw to access customer data, he noted.
“Our investigation shows no unauthorized access other than researcher activity,” Microsoft wrote. “Notifications have been sent to all clients who could potentially be affected due to the activity of the researchers,” he said, possibly referring to the possibility that the technique was leaked from Wiz.
“Although no customer data was viewed, it is recommended that you regenerate your primary read-write keys,” he said.
The Department of Homeland Security’s Cyber and Infrastructure Security Agency used stronger language in a bulletin on Friday, making it clear that it was not just for notified people.
“CISA strongly encourages Azure Cosmos DB customers to deploy and regenerate their certificate key,” the agency said.
Experts at Wiz, founded by four veterans of Azure’s internal security team, agreed.
“In my opinion, it’s really hard, if not impossible, for them to completely rule out that someone has used it before,” said one of the four, Wiz CTO Ami Luttwak. At Microsoft, he developed tools to record security incidents in the cloud.
Microsoft did not give a straightforward answer when asked if it had full logs for the two years the Jupyter Notebook feature was misconfigured or used some other means to rule out abuse.
“We have broadened our search beyond Researcher Activities to look for all possible activities for current and similar events in the past,” spokesman Ross Richendrfer said, declining to answer further questions.
Wiz said Microsoft had worked closely with him on the research, but declined to comment on how he could be sure previous customers were safe.
“It’s terrifying. I really hope no one other than us found this bug,” said one of the project’s principal investigators at Wiz, Sagi Tzadik.