Cybersecurity has been a headache for Microsoft in the past few months. While the company is pushing Zero Trust security models for customers to adopt, some of its own software has been exposing data over the public internet. Recently, we learned that a default configuration in Microsoft Power Apps portals left 38 million records – including sensitive information – open to the public and now it appears that a similar security flaw in Azure exposed data from several Fortune 500 customers too.

A graphic showing the ChaosDB attack on Cosmos DB

Security firm Wiz has detailed an exploit which allowed it unrestricted access to databases owned by thousands of Azure customers. Dubbed ChaosDB, the attack can be triggered via a default configuration present in Azure Cosmos DB. In 2019, Microsoft introduced Jupyter Notebook to Azure Cosmos DB and enabled it by default for all customers in February 2021. Due to misconfigurations present in this capability, Wiz was able to access an attack vector, trigger a privilege escalation, break the notebook's container, and gain access to primary keys hosted by Cosmos DB as well as the notebook blob storage access token. These were then used to gain admin access to all data hosted by impacted accounts. The keys could also be exfiltrated so that data could be manipulated over the public internet too.

Wiz discovered the vulnerability on August 9 and reported it to Microsoft on August 12. The Redmond tech giant reportedly disabled Jupyter Notebook in Cosmos DB 48 hours after Wiz' report. Reuters further reports that today, Microsoft has patched the issue and begun informing customers that they should start rotating their (supposed-to-be) private keys. An email from the company to impacted customers reads:

We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure.

[…] We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key.

Wiz has cautioned that even though Microsoft has now patched the issue, it is essential that customers rotate their keys, because their existing keys can still be used to access their data. The security researcher claims that every Cosmos DB account created after February 2021 or who used Jupyter Notebook since its launch is impacted. This essentially means that the vulnerability may have been exposing data for over two years for many Azure customers. Wiz has been awarded a $40,000 bounty by Microsoft for discovering the issue and privately disclosing it to the Redmond tech giant.