They say that poorly configured cloud storage is the leading cause of data loss nowadays, and Microsoft’s latest blunder is the perfect example.
Cyber security researchers from Magician discovered a massive unlocked database, housing sensitive information on hundreds of people, including private keys and passwords.
The database, as it turned out, belonged to Microsoft researchers working on artificial intelligence (AI). The good news is that the database was locked before hackers could access it.
Oops! Our evil
As the Wiz researchers explained, they were investigating the accidental exposure of data hosted in the cloud when they found a Microsoft GitHub repository with open source code for AI models, to be used for image recognition. The models were hosted on an Azure Storage URL, but due to apparent human error, the storage also contained data that no one should have had access to.
That data includes 38 terabytes of information, including backups of two Microsoft employees’ computers, passwords for Microsoft services, and more than 30,000 Teams chat messages exchanged by Microsoft employees. The storage account was not directly accessible, the researchers explained. Instead, Microsoft’s AI team generated a Shared Access Signature (SAS) token that granted too many permissions. With SAS tokens, TechCrunch explains, Azure users can generate shareable links for Azure storage account data.
Wiz informed Microsoft of his findings on June 22, and the SAS token was revoked two days later. The company took nearly three weeks to conduct a thorough investigation, after which it concluded that unauthorized third parties had not accessed the data. TechCrunch said.
To make sure these things don’t happen again, Microsoft has expanded the GitHub secret spanning service, which tracks all changes to public open source code for credentials and other secrets exposed in plain text.
Unfortunately, unprotected databases are a common occurrence. Earlier this year, a relatively popular Android voice chat app, OyeTalk, did the same thing. It was using Google’s Firebase mobile application development platform, which also offers cloud-hosted databases. According to Cybernews researchers, OyeTalk’s Firebase instance was not password protected, meaning its contents were visible to everyone.