Azure Database Service Flaw Could Affect Thousands of Firms
August 27, 2021
A vulnerability in Microsoft Azure’s database service Cosmos DB has potentially put at risk thousands of Azure customers, including many Fortune 500 companies, according to the public cloud infrastructure security firm Wiz.
Wiz says the vulnerability, discovered two weeks ago, enabled researchers to gain unrestricted access to the accounts and databases of several thousand Microsoft Azure customers.
On Thursday – the same day Wiz published its blog post describing the vulnerability – Microsoft sent an email to its cloud computing customers, stating that it had been made aware of vulnerability on Aug. 12 and took steps to mitigate it, Wiz reports. “We are not aware of any data access because of this vulnerability,” said the note, a screenshot of which was tweeted by Wiz cloud security researcher Sagi Tzadik.
Wiz says that “a series of flaws in a Cosmos DB feature created a loophole, allowing any user to download, delete or manipulate a massive collection of commercial databases, as well as read-write access to the underlying architecture of Cosmos DB.”
The researchers named this vulnerability #ChaosDB. “Exploiting it was trivial and required no other credentials,” they say.
When asked by Information Security Media Group for comment, Microsoft responded: “We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under Coordinated Vulnerability Disclosure.”