(Bloomberg) — A vulnerability in Microsoft Inc.’s cloud database system left data at thousands of clients exposed to potential cyberattacks for about two years, according to the Israeli cybersecurity firm that discovered the bug.
More than 3,300 of the software giant’s customers were exposed to a flaw in its Azure Cosmos DB database product that could have granted a malicious actor access keys to steal, edit or delete sensitive data, according to researchers at the Tel Aviv-based Wiz.io. Wiz’s co-founder and Chief Technology Officer Ami Luttwak says his team of researchers discovered the vulnerability on Aug. 9 while managing security for some of its own Fortune 500 clients.
On Friday, Microsoft issued a statement: “Our investigation indicates no customer data was accessed because of this vulnerability by third parties or security researchers. We’ve notified the customers whose keys may have been affected during the researcher activity to regenerate their keys.”
Reuters reported earlier that Microsoft had warned thousands of its Azure customers on Thursday about the security flaw. In an email to clients that was reviewed by Bloomberg News, the software firm asked network administrators to take four steps to protect their Cosmos databases, including generating new digital keys used to securely access those systems.
Microsoft said they had fixed the vulnerability. “There is no evidence of this technique being exploited by malicious actors,” the company said in an emailed statement on Thursday. “We are not aware of any customer data being accessed because of this vulnerability.”
The Wiz researchers found that the vulnerability existed since mid-2019, when Microsoft added a new feature to Cosmos DB called Jupyter Notebooks. The add-on allows database managers to insert lines of code so they can visualize and interact with their data. The feature had to be toggled on by users until February 2021, when Microsoft activated Jupyter Notebooks by default.
“If I’m a customer using the cloud database, my biggest fear is someone accessing my data without me knowing,” said Wiz’s Luttwak. “And that’s what this vulnerability would have done, if not corrected.”
Cosmos DB counts companies including Exxon Mobil Corp., Coca-Cola Co. and Citrix Systems Inc. as clients, according to Microsoft’s website for the service. In a customer testimonial on the site, the Walgreens pharmacy chain says it processes more than 6 million prescriptions a day and the company uses Azure Cosmos DB to run “microservices that its prescription transactions rely on.”
(Updates with statement from Microsoft in third paragraph.)
More stories like this are available on bloomberg.com
©2021 Bloomberg L.P.