Microsoft warns thousands of customers of the cloud of exposed databases, shows emails

Microsoft on Thursday warned thousands of its cloud computing customers, including some of the world’s largest companies, that intruders could have the ability to read, change, or even delete their core databases, according to a email copy and a cybersecurity researcher.

The vulnerability is found in the Microsoft Azure Cosmos database. A research team from security company Wiz found that it was able to access keys that control access to databases of thousands of companies. Ami Luttwak, director of technology at Wiz, is a former director of technology at Microsoft’s Cloud Security Group.

Because Microsoft can’t change those keys on its own, it emailed customers on Thursday telling them to create new ones. Microsoft agreed to pay Wiz $ 40,000 to find the defect and report it, according to an email it sent to Wiz.

Microsoft spokesmen did not comment immediately.

Microsoft’s email to customers said the vulnerability has been fixed and there is no evidence that the defect has been exploited. “We have no indication that external entities external to the researcher (Wiz) had access to the primary read and write key,” according to a copy of the email seen by Reuters.

“This is the worst vulnerability in the cloud you can imagine. It’s a long-term secret,” Luttwak told Reuters. “This is Azure’s core database and we’ve been able to access any customer database we want.”

The Luttwak team found the problem, called ChaosDB, on Aug. 9 and reported it to Microsoft on Aug. 12, Luttwak said.

The disclosure comes after months of bad security news for Microsoft. The same alleged Russian government hackers who infiltrated SolarWinds, stole Microsoft source code here.

A recent solution to a printer error that allowed the acquisition of computers had to be redone repeatedly. And an Exchange email error last week sparked an urgent U.S. government warning that customers must install patches issued months ago for ransomware gangs to now exploit.