EXCLUSIVE Microsoft warns thousands of customers of the cloud of exposed databases

SAN FRANCISCO, Aug 26 (Reuters) – Microsoft (MSFT.O) warned thousands of its cloud computing customers on Thursday, including some of the world’s largest companies, that intruders could have the ability to read , change or even delete your core databases, according to a copy of the email and a cybersecurity researcher.

The vulnerability is found in Microsoft Azure’s main Cosmos DB database. A research team from security company Wiz found that it was able to access keys that control access to databases of thousands of companies. Ami Luttwak, director of technology at Wiz, is a former director of technology at Microsoft’s Cloud Security Group.

Because Microsoft can’t change those keys on its own, it emailed customers on Thursday telling them to create new ones. Microsoft agreed to pay Wiz $ 40,000 to find the defect and report it, according to an email it sent to Wiz.

Microsoft said it had no immediate comment.

Microsoft’s email to customers said the vulnerability has been fixed and there is no evidence that the defect has been exploited. “We have no indication that external entities external to the researcher (Wiz) had access to the primary read and write key,” the email said.

“This is the worst vulnerability in the cloud imaginable. It’s a long-standing secret, “Luttwak told Reuters.” This is Azure’s core database and we’ve been able to access any customer database we want. “

The Luttwak team found the problem, called ChaosDB, on Aug. 9 and reported it to Microsoft on Aug. 12, Luttwak said.

The flaw was in a display tool called Jupyter Notebook, which has been available for years, but was enabled by default in Cosmos from February. After Reuters reported the defect, Wiz detailed the issue in a blog post.

Luttwak said even customers who have not been alerted by Microsoft could have passed the keys through attackers, giving them access until they were modified. Microsoft only told customers whose keys were visible this month, when Wiz was working on the issue.

The disclosure comes after months of bad security news for Microsoft. The company was raped by the same alleged Russian government hackers who infiltrated SolarWinds, who stole Microsoft source code. Then, a large number of hackers burst into Exchange email servers while a patch was being developed.

A recent solution to a printer error that allowed the acquisition of computers had to be redone repeatedly. Last week, another Exchange flaw sparked an urgent warning from the U.S. government that customers need to install patches posted months ago because ransomware gangs are now exploiting it.

Problems with Azure are especially worrisome, because Microsoft and external security experts have been pushing companies to abandon most of their own infrastructure and rely on the cloud for more security.

But while cloud attacks are rarer, they can be more devastating when they occur. Also, some are never published.

A federally contracted research lab tracks all known security flaws in the software and assesses them by severity. But there is no equivalent system for holes in the cloud architecture, so many critical vulnerabilities remain undisclosed to users, Luttwak said.

Reports by Joseph Menn; Edited by William Mallard

Our standards: the principles of trust of Thomson Reuters.