According to a copy the email and a cybersecurity researcher, Microsoft warned its cloud computing customers that they could be accessed by anyone.
The vulnerability lies in Microsoft Azure’s Cosmos DB database. Wiz Security discovered that the vulnerability could be accessed by key holders who have access to thousands of databases. Ami Luttwak, Wiz Chief Technology Officer, is an ex-chief technology officer at Microsoft CloudSecurity Group.
Microsoft could not change these keys on its own, so it sent an email to customers Thursday advising them to make new ones. According to an email sent to Wiz, Microsoft had agreed to pay $40,000 to Wiz for reporting the flaw.
This flaw was found in Jupyter Notebook, a visualization tool that has been around for many years. However, it was only enabled in Cosmos starting in February. Wiz wrote a blog post about the issue after Reuters reported it.
Customers who were not notified by Microsoft may have their keys stolen by attackers. This could give them access to the keys until they are changed. Microsoft did not inform customers about the keys that were visible to them this month. Wiz was investigating the matter.
This disclosure comes after months and months of poor security news for Microsoft. The company was breached by the same suspected Russian government hackers that infiltrated SolarWinds, who stole Microsoft source code. While a patch was being created, a large number of hackers broke into Exchange email server.
The recent fix for a flaw in a printer meant that computers could be taken over had to be re-done. A second Exchange flaw was discovered last week. The U.S. government issued an urgent warning to customers that patches had been issued months ago and that ransomware gangs were now exploiting it.
Azure problems are particularly troubling because Microsoft and other security experts have been pushing companies towards the cloud to provide more security.
Cloud attacks are rarer, but they can still be devastating. Some are not even publicized.