Pro Practice Alert: Critical Security Flaw Found in Microsoft Cloud Service

Last update

at

by:

by:

Share

Print Friendly, PDF & Email
"Worst cloud vulnerability you can imagine."

Microsoft has issued a warning to its customers that a dangerous flaw in its cloud database service allows intruders easy access to customer accounts.

The risk impacts thousands who use Microsoft Azure’s database service Cosmos DB, which includes some of the world’s biggest companies. Cosmos DB was launched in 2017 and is touted by Microsoft as a solution for “managing data at planet scale” and “able to run your most important applications worry-free anywhere in the world.”

The bug – termed Chaos DB – was detected by the cyber security company Wiz.

“Wiz discovered it was able to access keys that control access to databases held by thousands of companies,” according to this report from Reuters and Insurance Journal. “[I]ntruders could have the ability to read, change or even delete their main databases.”

In an email sent August 26, Microsoft notified Cosmos DB users that they should create new access keys because the company couldn’t change the keys itself. It also said there was “no evidence the flaw had been exploited” and that “[w]e fixed this issue immediately to keep our customers safe and protected,” according to the Reuters article.

Worst Cloud Vulnerability Imaginable

Wiz says on its website that exploiting the flaw was shockingly easy.

“[I]magine our surprise when we were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including many Fortune 500 companies,” according to this Wiz blogpost titled ChaosDB: How We Hacked Thousands of Azure Customer’s Databases. “Some of the world’s biggest businesses (see their website) use Cosmos DB to manage massive amounts of data from around the world in near real-time. As one of the simplest and most flexible ways for developers to store data, it powers critical business functions like processing millions of prescription transactions or managing customer order flows on e-commerce sites.”

Microsoft agreed to pay Wiz $40,000 for uncovering and reporting the flaw, according to news accounts.

“This is the worst cloud vulnerability you can imagine,” says Wiz’s Chief Technology Officer in the Reuters piece. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”

Sources: Insurance Journal, Reuters, Wiz and Microsoft Azure

Watch Alta Pro’s Free Cybersecurity Webinars

Alta Pro is committed to keeping you safe and successful by bringing you breaking news that can affect your business.

Have you seen our four-part series of webinars on cybersecurity? All four webinars addressed various aspects of staying cyber safe, including cloud computing. They were designed for law firms but are appropriate for all types of businesses. All are available free and on demand on YouTube. Here is the link to the Alta Pro YouTube channel, where you can watch them at your convenience.

Don’t Miss Our Upcoming Webinar!

Succession Planning is key to the future of your business.

Having a succession plan doesn’t mean you’re ready to retire or need to stop work today. It means having a blueprint for your future and a process for transitioning ownership smoothly, seamlessly and profitably.

Learn more about succession planning – and how you can design a plan that’s right for your practice – by attending our upcoming live webinar, Success in Succession Planning. Our guest speaker is Camille Stell, CEO and founder of Lawyers Mutual Consulting & Services, who (literally) wrote the book on Designing a Succession Plan for Your Law Practice. One hour of CLE credit has been applied for and is expected to be approved. Register here.

Share

Print Friendly, PDF & Email

Related Posts on Altaprorpg.com!

Alta Pro Logo Icon

About the Editorial Staff

In an age of consolidation where increasingly impersonal transactions have made customer service an oxymoron, we bring together independent agents, insurance companies, and other industry specific service providers to develop and deliver insurance products and risk management solutions that benefit our insurance customers.

March 13, 2024 1:00 pm EST
1.0 Regular Credit
September 18, 2024 1:00 pm EST
1.0 Regular Credit

Join Our Newsletter

Occasional newsletters and CLE invites

Find Us on Social

Upcoming CLE Webinar: Ethical Uses of Generative AI in the Practice of Law

March 13, 2024 1:00 pm EST
CLE Credit: 1.0 Regular

Ryan Groff

Casetext

Archives

Need Help?

Visit our Frequently Asked Questions page. 

Or email us directly at info@altaprorpg.com

Or submit your issue in the comment form below and we will respond as soon as possible.