Cosmos DB Now Chaos DB
Share this:
Microsoft warned thousands of its cloud computing customers, including some of the world’s largest companies, that intruders could have the ability to read, change or even delete their main databases.
The vulnerability is in Microsoft Azure’s flagship Cosmos database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies.
This is the worst cloud vulnerability you can imagine. It is a long-lasting secret.This is the central database of Azure, and we were able to get access to any customer database that we wanted.
Researcher Statement
Microsoft cannot change those keys by itself, it emailed the customers telling them to create new ones. Microsoft agreed to pay Wiz $40,000 for finding the flaw and reporting it.
Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key.
Microsoft Email to Customers
The disclosure comes after months of bad security news for Microsoft. The company was breached by the same suspected Russian government hackers that infiltrated SolarWinds, who stole Microsoft source code here.
