Microsoft has warned a vulnerability in Microsoft Azure’s Cosmos DB database will assist hackers to read, change or even delete their main databases, Reuters reported.
A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. Wiz Chief Technology Officer Ami Luttwak is a former chief technology officer at Microsoft’s Cloud Security Group.
Because Microsoft cannot change those keys by itself, it emailed cloud computing customers, including some of the world’s largest companies, on Thursday telling them to create new ones. Microsoft agreed to pay Wiz $40,000 for finding the flaw and reporting it, according to an email it sent to Wiz.
“We fixed this issue to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure,” Microsoft said.
Microsoft’s email to customers said there was no evidence the flaw had been exploited. “We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key,” the email said.
“This is the worst cloud vulnerability you can imagine. It is a long-lasting secret. This is the central database of Azure, and we were able to get access to any customer database that we wanted,” Ami Luttwak said.
Wiz found the problem, dubbed ChaosDB, on Aug. 9 and notified Microsoft Aug. 12.
Luttwak said even customers who have not been notified by Microsoft could have had their keys swiped by attackers, giving them access until those keys are changed. Microsoft only told customers whose keys were visible this month, when Wiz was working on the issue.
