Researchers Say “Microsoft Cloud Databases Vulnerable for Years”

A vulnerability in Microsoft Inc.’s cloud database system left data at thousands of clients exposed to potential cyberattacks for about two years, according to the Israeli cybersecurity firm that discovered the bug.

More than 3,300 of the software giant’s customers were exposed to a flaw in its Azure Cosmos DB database product that could have granted a malicious actor access keys to steal, edit or delete sensitive data, according to researchers at the Tel Aviv-based Wiz.io. Wiz’s co-founder and Chief Technology Officer Ami Luttwak says his team of researchers discovered the vulnerability on Aug. 9 while managing security for some of its own Fortune 500 clients.

Reuters reported earlier that Microsoft had warned thousands of its Azure customers on Thursday about the security flaw. In an email to clients that was reviewed by Bloomberg News, the software firm asked network administrators to take four steps to protect their Cosmos databases, including generating new digital keys used to securely access those systems.

Microsoft says they’ve since fixed the vulnerability. “There is no evidence of this technique being exploited by malicious actors,” the company said in an emailed statement. “We are not aware of any customer data being accessed because of this vulnerability.”

The Wiz researchers found that the vulnerability existed since mid-2019, when Microsoft added a new feature to Cosmos DB called Jupyter Notebooks. The add-on allows database managers to insert lines of code so they can visualize and interact with their data. The feature had to be toggled on by users until February 2021, when Microsoft activated Jupyter Notebooks by default.

“If I’m a customer using the cloud database, my biggest fear is someone accessing my data without me knowing,” said Wiz’s Luttwak. “And that’s what this vulnerability would have done, if not corrected.”

Cosmos DB counts companies including Exxon Mobil Corp., Coca-Cola Co. and Citrix Systems Inc. as clients, according to Microsoft’s website for the service. In a customer testimonial on the site, the Walgreens pharmacy chain says it processes more than 6 million prescriptions a day and the company uses Azure Cosmos DB to run “microservices that its prescription transactions rely on.”