Microsoft informs Azure customers about major vulnerability

31. August 2021

Microsoft notified several thousand customers of its Azure cloud service on Aug. 26, 2021, about a serious security vulnerability that allows unauthorized parties to gain full access to customers’ cloud databases. The vulnerability affects the multi-model NoSQL database CosmosDB, which is one of the cloud service’s key products. Microsoft says it has since closed the gap, but affected customers must take steps themselves to prevent unauthorized access.

As Reuters reports, a research team specializing in security from security firm Wiz discovered the vulnerability in the Azure security infrastructure, which allowed them to gain access to access keys, giving them full access to multiple companies’ databases. The vulnerability was discovered by the researchers on August 9th and reported to Microsoft on August 12th,2021. Wiz later published a blog post explaining the vulnerability. Primary read-write keys allow full access to customer databases. Through a feature called Jupyter Notebook, which was integrated into CosmosDB in 2019, it was possible to gain access to such keys from CosmosDB customers. This made it possible to read, modify and even delete all primary databases. CosmosDB is used by a number of Fortune 500 companies to manage massive amounts of data from around the world in near real-time.

According to Microsoft, the vulnerability was fixed immediately, and no evidence was found that anyone other than Wiz had accessed customer data. Still, Microsoft itself cannot change access keys, so affected customers were emailed on Aug. 26 to change their keys. However, the problem may have affected customers who were not notified. Microsoft has told Wiz that it will pay out $40,000 for reporting the vulnerability.

If you have received a notice from Microsoft and one of your databases is affected that contains personal data, you must assess whether you are required to report this incident to the relevant data protection supervisory authority within 72 hours in accordance with Article 33 of the GDPR. If you believe your organization may be impacted by ChaosDB, please follow the steps described by Wiz in this blog post for detailed instructions on how to protect your environment.

This incident marks the third major security incident involving Microsoft products within 12 months, following the so-called “SolarWinds” hack in December 2020 (please see our blog post) and a large-scale hack of Microsoft Exchange in March 2021 (please see our blog post).