Cybersecurity researchers from Wiz have discovered a huge, unlocked Microsoft Azure cloud storage database, hosting sensitive information on hundreds of people, including private keys and passwords.
The database, as it turned out, belonged to Microsoft’s researchers working on Artificial Intelligence (AI). The good news is that the database was locked before any hackers could get to it.
As Wiz’s researchers explained, they were investigating accidental cloud-hosted data exposure when they found a Microsoft GitHub repository with open-source code for AI models, to be used for image recognition. The models were hosted on an Azure Storage URL, but due to obvious human error, the storage also held data that no one should have access to.
Massive Microsoft breach
That data includes 38 terabytes of information, including backups of two Microsoft employees’ computers, passwords to Microsoft services, and more than 30,000 Teams chat messages exchanged by Microsoft employees. The storage account wasn’t accessible directly, the researchers explained. Instead, Microsoft’s AI team generated a shared access signature token (SAS) that granted too many permissions. With SAS tokens, TechCrunch explains, Azure users can generate shareable links for Azure Storage account data.
Wiz notified Microsoft of its findings on June 22, and the SAS token was revoked two days later. It took the company almost three weeks to run a thorough investigation, after which it concluded that the data hadn’t been accessed by any unauthorized third parties, TechCrunch said.
To make sure these things don’t happen again, Microsoft expanded GitHub’s secret spanning service, which tracks all public open-source code changes for credentials and other secrets exposed in plaintext.
Unfortunately, unsecured databases are a common occurrence. Earlier this year, a relatively popular Android voice chat app, OyeTalk, did the same thing. It was using Google’s Firebase mobile application development platform, which also offers cloud-hosted databases. According to researchers from Cybernews, OyeTalk’s Firebase instance was not password-protected, meaning its contents were available for all to see.