A vulnerability in Microsoft's Azure Cosmos DB database may have potentially allowed hackers access to its cloud customers private databases. This included the ability to read, change or even delete the database in question.
According to a report by Reuters, Security company Wiz discovered the flaw and alerted Microsoft. Wiz realised that they could gain control of access keys to the databases using the flaw.
"We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure," Microsoft told Reuters.
Microsoft also sent out a email to customer's telling them that there was no evidence that the flaw was exploited by anyone other than Wiz.
"We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key," the email sent out to customers read.
Former Microsoft Chief Technology Officer Ami Luttwak, who currently serves Wiz as their technology officer said, "This is the worst cloud vulnerability you can imagine. It is a long-lasting secret. This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
Wiz discovered the flaw on August 9 and alerted Microsoft on August 12. In a blog post that detailed the issue, Wiz explained how they managed to gain access to thousand's of databases on Azure.The vulnerability names ChaosDB stemmed from a feature called Jupyter Notebook which was added to Azure in 2019. A series of misconfigurations because of the feature created the attack vector that Wiz was then able to exploit.