Microsoft closes the vulnerability in Azure functionality that gave attackers access to the database – Computer – News

The Cosmos DB service inside Microsoft Azure encountered a vulnerability that allowed attackers to gain unfettered access to the accounts and databases of thousands of Microsoft Azure customers. Microsoft corrected the leak and notified customers.

Wiz . Security Researchers Find out that it is possible to know the primary keys of Cosmos DB. These primary keys allow people to access all the data in the Cosmos DB. These keys allow users not only to read the data, but also to modify and delete it.

The problem is with Jupyter Notebook, a feature within Cosmos DB that allows customers to visualize their data. This feature was introduced in 2019 and was automatically enabled for all Cosmos DB clients last February. A series of misconfigurations within this notebook feature led to a file opening attack vectors, Researchers say.

Wiz hasn’t released many details about these misconfigurations yet, although researchers say the notebook’s container is a file Franchise Escalation for other customer notebooks. with this Honor escalation An attacker could gain access to the primary keys of a client’s Cosmos DB database.

The researchers notified Microsoft, which gave the researchers $40 thousand and stopped the laptop’s functionality. According to Wiz, this feature is still disabled, pending a fix. Microsoft says in an email to customers, which was seen by Reuters, that the problem has been resolved and that there is no evidence of abuse. Microsoft only claims that Wiz researchers knew about it.

Incidentally, Wiz believes that Microsoft has not informed enough customers. Microsoft only notified customers whose keys were easy to see this month, according to security researchers. The Azure creator also advises these customers to allocate their keys. However, Wiz researchers argue that the leak has been in Cosmos DB since February 2019 and that Microsoft should inform more customers. Wiz itself notified Microsoft of the security issue on August 12, two days later, the Jupyter Notebook feature was disabled.