They say misconfigured cloud storage is the leading cause of data breaches today, and Microsoft’s latest misstep is the perfect example of that.
Cybersecurity researchers from Wiz discovered a massive, unlocked database containing sensitive information about hundreds of people, including private keys and passwords.
It turned out that the database belonged to Microsoft researchers working on artificial intelligence (AI). The good news is that the database was locked before hackers could get to it.
Oops! Our bad
As the Wiz researchers explained, they were investigating accidental exposure to cloud-hosted data when they came across a Microsoft GitHub repository containing open-source code for AI models, which could be used for image recognition. The models were hosted on an Azure Storage URL, but due to apparent human error, the storage also contained data that no one should have access to.
That data included 38 terabytes of information, including backups of two Microsoft employees’ computers, passwords for Microsoft services and more than 30,000 Teams chat messages exchanged by Microsoft employees. The storage account could not be accessed directly, the researchers explained. Instead, Microsoft’s AI team generated a Shared Access Signature Token (SAS) that granted too many permissions. SAS tokens, TechCrunch explains, allow Azure users to generate shareable links for Azure Storage account data.
Wiz notified Microsoft of its findings on June 22, and the SAS token was revoked two days later. It took the company almost three weeks to conduct a thorough investigation, after which it concluded that the data had not been accessed by unauthorized third parties. said TechCrunch.
To ensure these things don’t happen again, Microsoft has expanded GitHub’s Secret Service, which tracks all public open-source code changes for credentials and other secrets exposed in plaintext.
Unfortunately, unsecured databases are common. Earlier this year, a relatively popular Android voice chat app, OyeTalk, did the same thing. It used Google’s Firebase mobile application development platform, which also offers cloud-hosted databases. According to Cybernews researchers, OyeTalk’s Firebase instance was not password protected, meaning its content was visible to anyone.