Microsoft warns customers that Azure Cosmos DB vulnerability exposed their databases for years

As part of its transition to a cloud company, Microsoft has been extolling the supposed virtues of digital transformation and encouraging organizations to move their businesses from on-premises to the Azure cloud. Security researchers have long warned about the potential security nightmares that could ensue, and now Microsoft is forced to admit to its customers that a single vulnerability in Azure’s flagship Cosmos DB database left their main databases open to be read, changed, or even deleted by anyone with knowledge of the issue.

Microsoft on Thursday warned many of its cloud computing customers that for more than two years, their data has been susceptible to attacks. Specifically, a now-fixed vulnerability in Azure’s Cosmos DB database would have allowed a malicious actor to read, change, and even delete the main databases of over 3,000 organizations of all sizes, including ExxonMobil, Walgreens, Coca Cola, Symantec, Zeiss, and Liberty Mutual Insurance.

The flaw was discovered by security company Wiz, who dubbed it “ChaosDB.” Researchers explained that their exploit takes advantage of a chain of misconfigurations in the Jupiter Notebook visualization feature that Microsoft added to Cosmos DB in 2019. In February this year, that feature was automatically turned on for all Cormos DBs.

To put it simply, Wiz found a way to allow any user to take complete control of a massive collection of commercial databases, including the central database of Azure. Researchers notified Microsoft about the issue on August 12, and the latter was able to mitigate the issue within 48 hours of it being reported, which is a respectable performance.

As a precaution, Wiz recommends that all Cosmos DB customers rotate and regenerate their primary access keys, regardless of whether they received a notification from Microsoft or not. Despite the severity of ChaosDB, neither Wiz nor Microsoft found any indication that someone other than the researchers had been able to exploit the vulnerability. Reuters reports that Wiz received a $40,000 reward for discovering and reporting the flaw.

Overall, Microsoft’s been having a tough time as of late. After the SolarWinds fiasco, the Redmond giant has had to deal with at least ten hacker groups targeting Microsoft Exchange Server exploits, and, more recently, a stubborn print spooler vulnerability in Windows that will probably haunt the company for months.