Azure Database Service Flaw Could Affect Thousands of Firms
A vulnerability in Microsoft Azure’s database service Cosmos DB has potentially put at risk thousands of Azure customers, including many Fortune 500 companies, according to the public cloud infrastructure security firm Wiz.
Wiz says the vulnerability, discovered two weeks ago, enabled researchers to gain unrestricted access to the accounts and databases of several thousand Microsoft Azure customers.
On Thursday – the same day Wiz published its blog post describing the vulnerability – Microsoft sent an email to its cloud computing customers, stating that it had been made aware of vulnerability on Aug. 12 and took steps to mitigate it, Wiz reports. “We are not aware of any data access because of this vulnerability,” said the note, a screenshot of which was tweeted by Wiz cloud security researcher Sagi Tzadik.
Wiz says that “a series of flaws in a Cosmos DB feature created a loophole, allowing any user to download, delete or manipulate a massive collection of commercial databases, as well as read-write access to the underlying architecture of Cosmos DB.”
The researchers named this vulnerability #ChaosDB. “Exploiting it was trivial and required no other credentials,” they say.
When asked by Information Security Media Group for comment, Microsoft responded: “We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under Coordinated Vulnerability Disclosure.”
Join our newsletter
Schedule a Demo with the Baffle team
Meet with Baffle team to ask questions and find out how Baffle can protect your sensitive data.
Easy
No application code modification required
Fast
Deploy in hours not weeks
Comprehensive
One solution for masking, tokenization, and encryption
Secure
AES cryptographic protection
Flexible
No impact to user experience