Microsoft has told thousands of its cloud computing customers about a database security flaw.

The statement, originally reported by Reuters, said that third parties could read, change, or even delete businesses’ main databases.

The vulnerability was discovered in Microsoft Azure’s Cosmos database product by Ami Luttwak, chief technology officer at Israeli cybersecurity group Wiz.

Luttwak was previously chief technology officer at Microsoft’s cloud security division.
Microsoft told users to change their security keys in the email, as Microsoft is unable to do this by themselves.

According to Microsoft, Cosmo is used by a significant number of large corporations worldwide, including Coca-Cola, Exxon Mobil, and Citrix.

The software giant is set to pay Wiz $40,000 for identifying and reporting the vulnerability.
Microsoft’s email as reported by Reuters said there was “no indication that external entities outside the researcher (Wiz) had access to the primary read-write key.”

Wiz said the vulnerability stemmed from a feature called Jupyter Notebook, added in 2019 to Cosmos DB, that allows customers visualise their data and create customised views.

Jupyter Notebook was automatically turned on for all Cosmos DBs in February 2021.

The news comes after a Microsoft vulnerability was exploited in the Solarwinds cyberattack in December 2020, which impacted over 200 organisations worldwide.

Share Story: