Microsoft has just warned several thousand of its Azure customers about vulnerability that left their data completely exposed to possible hacker attacks for the last two years.
A flaw that was discovered in Microsofts’ Azure Cosmos database product has opened unrestricted access to more than 3,300 Azure customers, including many from the Fortune 500 list.
This vulnerability was introduced back in 2019 when Microsoft added a data visualization feature named “Jupyter Notebook to Cosmos DB”. Sadly, this feature was turned on by default for all Cosmos database users in February 2021.
This is the worst cloud vulnerability that you can imagine, said Ami Luttwak who is a chief technology officer at Wiz, the company that discovered this vulnerability. Ami also said that Microsofts’ Azure Cosmos DB is actually the central database of Azure and that they were able to access any company database they wanted.
Despite the high severity and risk involved, Microsoft did not find any evidence about illicit data access or that the vulnerability was exploited by malicious actors. Microsoft has also rewarded the Wiz company with $40,000 for this discovery.
Microsoft has disabled the vulnerability within 48 hours after they have received the report from Wiz. Microsoft also advised its customers to change their primary access keys in order to mitigate this exposure and additionally protect their data.