"We immediately corrected this problem to ensure the safety and protection of our customers," Microsoft told Reuters.
Microsoft sent an email on August 26, 2021 warning its thousands of customers using its cloud computing services that intruders could be able to read, modify or even delete some of their databases, according to Microsoft. a copy of the document and a cybersecurity researcher.
Keys allowing access to databases, accessible
The vulnerability concerns Microsoft Azure's flagship database, Cosmos DB. A research team from security firm Wiz found it was able to access the keys that control access to databases owned by thousands of companies. Wiz CTO Ami Luttwak is a former CTO of Microsoft's Cloud Security Group. Microsoft couldn't change these keys on its own, so the company sent an email to its customers asking them to create new ones.
A flaw that would not have been exploited
Microsoft agreed to pay Wiz $ 40,000 for discovering and reporting the flaw, according to an email sent to Wiz. "We immediately corrected this problem to ensure the safety and protection of our customers," Microsoft told Reuters. In the e-mail sent to its customers, Microsoft indicates that it has corrected the vulnerability and that there is no evidence that the flaw has been exploited. "We have no indication that entities external to the researchers (Wiz) had access to the read-write key," he said in the copy of the email seen by Reuters.