Security researchers have discovered a serious security vulnerability in Microsoft Azure that could given an attacker unfettered access to any and all of the databases stored on its Cosmos DB service.
Researchers from security firm Wiz found that it is not only possible but trivial to obtain the primary keys to databases. The vulnerability, dubbed ChoasDB, may have existed since the introduction of the Jupyter Notebook back in 2019, and it gives attackers the ability to access, edit and delete data or entire databases. Microsoft is unable to change primary keys itself, and has emailed customers to advise them to do so; but the company has been criticized for failing to contact sufficient numbers of users.
“This is the worst cloud vulnerability you can imagine,” Wiz CTO Ami Luttwak told Reuters. It’s a well-kept secret. This is Azure’s primary database, and we were able to access any client database we needed through it.”
In a blog post, Wiz describes the major security flaw, explaining how it was able to “gain complete uncontrolled access”
A security researcher discovered a vulnerability in the Azure Cosmos DB Jupyter Notebook functionality on August 12, 2021, which might potentially allow a user to get access to another customer’s resources by utilising the account’s primary read-write key. We quickly took steps to address the flaw.a