image courtesy: Itpro.co.uk
On Thursday, Microsoft raised alarm against intruders’ gaining access to their main databases, which is a risk factor for thousands of cloud computing services under Microsoft alongside several other names of top-most companies of the world. This was an additional burden for the team at Microsoft after having to go through backlash upon months of bad security feedback for the company.
The flaw pertains in “Microsoft Azure’s flagship Cosmos DB database”. At a security company, Wiz, the research team realised they could gain keys to databases belonging to thousands of companies. The team led by Ami Luttwak, the Chief technology officer at Wiz had identified the issue on August 9 and had thereon sent notifications about the same to Microsoft on August 12.
Following this Microsoft sent a mail informing all its customers to create new keys because of their inability to change those on their own. As a token of appreciation, Microsoft is going to pay $40,000 to Wiz for having identified and informed about this flaw.
” We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure,” – Microsoft in a statement to Reuters.
Microsoft made claims in its mail to all the customers that so far it has not gained any evidence of the malfunction being exploited.
“This is the worst cloud vulnerability you can imagine. It is a long-lasting secret,” Luttwak told Reuters. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
The issue pertained in a visualisation tool, Jupyter Notebook, since its ability from years before and was recently enabled in Cosmos as a default feature since in the early phase of February this year.
Following the Reuters’ reports about the same, Wiz brought forth further information on the same via a blog post.
The customers who haven’t received any mail from the team at Microsoft might not be the ones whose name would appear in the visible keys this month, while Wiz continued its work on the issue. So there’s a chance for some of these customers’ to have their keys swiped by the cyber intruders already.