Microsoft has issued a warning to its customers that a dangerous flaw in its cloud database service allows intruders easy access to customer accounts.
The risk impacts thousands who use Microsoft Azure’s database service Cosmos DB, which includes some of the world’s biggest companies. Cosmos DB was launched in 2017 and is touted by Microsoft as a solution for “managing data at planet scale” and “able to run your most important applications worry-free anywhere in the world.”
The bug – termed Chaos DB – was detected by the cyber security company Wiz.
“Wiz discovered it was able to access keys that control access to databases held by thousands of companies,” according to this report from Reuters and Insurance Journal. “[I]ntruders could have the ability to read, change or even delete their main databases.”
In an email sent August 26, Microsoft notified Cosmos DB users that they should create new access keys because the company couldn’t change the keys itself. It also said there was “no evidence the flaw had been exploited” and that “[w]e fixed this issue immediately to keep our customers safe and protected,” according to the Reuters article.
Worst Cloud Vulnerability Imaginable
Wiz says on its website that exploiting the flaw was shockingly easy.
“[I]magine our surprise when we were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including many Fortune 500 companies,” according to this Wiz blogpost titled ChaosDB: How We Hacked Thousands of Azure Customer’s Databases. “Some of the world’s biggest businesses (see their website) use Cosmos DB to manage massive amounts of data from around the world in near real-time. As one of the simplest and most flexible ways for developers to store data, it powers critical business functions like processing millions of prescription transactions or managing customer order flows on e-commerce sites.”
Microsoft agreed to pay Wiz $40,000 for uncovering and reporting the flaw, according to news accounts.
“This is the worst cloud vulnerability you can imagine,” says Wiz’s Chief Technology Officer in the Reuters piece. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
Sources: Insurance Journal, Reuters, Wiz and Microsoft Azure
Watch Alta Pro’s Free Cybersecurity Webinars
Alta Pro is committed to keeping you safe and successful by bringing you breaking news that can affect your business.
Have you seen our four-part series of webinars on cybersecurity? All four webinars addressed various aspects of staying cyber safe, including cloud computing. They were designed for law firms but are appropriate for all types of businesses. All are available free and on demand on YouTube. Here is the link to the Alta Pro YouTube channel, where you can watch them at your convenience.
Don’t Miss Our Upcoming Webinar!
Succession Planning is key to the future of your business.
Having a succession plan doesn’t mean you’re ready to retire or need to stop work today. It means having a blueprint for your future and a process for transitioning ownership smoothly, seamlessly and profitably.
Learn more about succession planning – and how you can design a plan that’s right for your practice – by attending our upcoming live webinar, Success in Succession Planning. Our guest speaker is Camille Stell, CEO and founder of Lawyers Mutual Consulting & Services, who (literally) wrote the book on Designing a Succession Plan for Your Law Practice. One hour of CLE credit has been applied for and is expected to be approved. Register here.
