Researchers who discovered a major flaw in key databases stored in Microsoft’s Azure cloud platform are now urging all users to change their digital access keys, not just the 3,300 they were notified this week.
Researchers at a cloud security company called Wiz discovered this month that they had access to the primary digital keys of most Cosmos DB users, allowing them to steal, change or delete millions of records.
Following an alert from Wiz, Microsoft quickly fixed a configuration bug that would have made it easier for any Cosmos user to access other clients’ databases, then some users on Thursday reported changing their keys.
In a blog post on Friday, Microsoft said it warned customers who set up access to Cosmos during the week-long research period.
It noted that it found no evidence that any attackers used the same flaw to access customer data.
“Our investigation shows that there was no unauthorized access other than researcher activity,” Microsoft wrote.
“Notifications have been sent to all clients potentially affected by the researcher’s activity,” she said, possibly referring to the possible technology leak from Wiz.
“While you don’t have access to customer data, it is recommended that you re-create your basic read-write keys,” she said.
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency used stronger language in its Friday bulletin, explaining that it did not only speak to those who have been notified.
CISA strongly encourages Azure Cosmos DB customers to recreate and renew their certificate key She said.
The experts at Wiz, founded by four veterans of the Azure Internal Security Team, agreed.
“In my estimation, it’s really difficult, if not impossible, for them to completely rule out that someone has used this before,” said one of the four, Wiz’s chief technology officer, Amy Luttwak.
At Microsoft, he developed tools for logging cloud security incidents.
Microsoft did not provide a direct answer when asked if it had extensive records for two years when the Jupyter Notebook feature was misconfigured, or used another method to rule out access abuse.
“We’ve extended our search beyond the researcher’s activities to look for all possible activities of current and similar events in the past,” spokesman Ross Rechinderfer said, declining to answer other questions.
Wiese said Microsoft worked closely with her on the research, but declined to say how it ensured the safety of previous customers.
It’s terrifying. I really wish no one but us could find this bug,” said one of the lead researchers on the project at Wiz, Sagi Tzadik.