SAN FRANSISCO: Microsoft has issued a warning to its cloud customers after discovering a breach in their database. These customers include some of the world’s largest companies, hackers could have been able to manipulate or even delete their main database, according to a copy of the email and a cyber security researcher.
As per the research team of Cyber Security company Wiz, the vulnerability surfaced in Microsoft Azure’s Cosmos DB database. The said team was able to access keys that control access to the database held by partner companies.
Microsoft can not change affected keys, Thursday they sent a mail to customers asking them to make new keys. Microsoft will pay Wiz a sum of $40,000 for finding out the vulnerability. Microsoft has refused to make any immediate comment on the situation.
This is the worst cloud vulnerability you can imagine, said Ami Luttwak who is Chief Technology Officer at Wiz. This is Azure’s central database and the Wiz team was able to get access to any customer database they wanted.
However, the mail sent by Microsoft to its customer says that there was no evidence of the flaw being exploited and that they have fixed the vulnerability. “We do not indicate that external entities outside the researcher (Wiz) had access to the primary read-write key,” the email said.
According to Luttwak data of many customers who were not notified by Microsoft might still be exposed, and this won’t change till they change their keys. Microsoft has only notified those customers whose keys were visible this month.Cloud attacks are rare, but they can be very destructive. All major companies are moving towards cloud storage these days great source of attraction for hackers. Some cloud data breaches are never even publicized.
A federally contracted research lab tracks all known security flaws in software and rates them by severity. But there is no equivalent system for holes in cloud architecture, so many critical vulnerabilities remain undisclosed to users, Luttwak said.