Microsoft to Azure Cosmos DB Users: Your Data May Have Been Exposed

Microsoft warned thousands of Azure Cosmos DB users last week that their data may have been exposed through a recently discovered security flaw in Jupyter Notebook.

The flaw "could potentially allow a user to gain access to another customer's resources by using the account's primary read-write key," Microsoft said in a statement. Microsoft also said the vulnerability was mitigated "immediately."

The vulnerability, called ChaosDB, was reported by cloud security investigators at Wiz, who said they were able to exploit it to gain "complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers."

Nir Ohfeld and Sagi Tzadik, security researchers at Wiz, found the flaw and tested it to discover the extent of the vulnerability.

"A series of misconfigurations in the notebook feature opened up a new attack vector we were able to exploit," they said in a blog post. "In short, the notebook container allowed for a privilege escalation into other customer notebooks."

The flaw exposed the accounts and databases of several thousand Azure customers, including such Fortune 500 companies as Coca-Cola and Exxon Mobil.

Launched in 2017, Azure Cosmos DB is a fully managed NoSQL database service. Redmond added the Jupyter Notebook feature to the database in 2019 to gives its customers the ability to visualize their data and create customized views. The feature was automatically turned on for all Cosmos DBs in February 2021.

Project Jupyter is an open source initiative focused on developing open standards and services for interactive computing across dozens of programming languages. The Jupyter Notebook is a Web application designed to allow developers to create and share documents that contain live code, equations, visualizations and narrative text.

Risk Based Security released its two reports in early August ("2021 Mid-Year Data Breach QuickView Report" and "2021 Mid-Year Vulnerability QuickView Report") on data breaches and vulnerabilities identified in the first half of 2021. The number of breaches reported so far this year declined, while the number of reported vulnerabilities increased, according to the reports.

But there's still a "massive gap" in our system of security reporting, says U.K.-based security maven Kevin Beaumont. In a Twitter discussion of ChaosDB, Beaumont noted:

"No CVE numbers are issued for flaws, and suppliers aren't required to disclose flaws. Cloud services aren't magically secure. You'll notice public disclosure of this comes from an external researcher."

The CVE (Common Vulnerabilities and Exposures) is a database of publicly disclosed information about security issues.

About the Author

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].


comments powered by Disqus

Subscribe on YouTube