Microsoft has acknowledged a recently-discovered flaw in its Azure-based Cosmos DB database that left over 3,000 customers open to attack. But the software giant says that no customers were exploited, and it has fixed the flaw.
“There is no evidence of this technique being exploited by malicious actors,” a Microsoft statement notes. “We are not aware of any customer data being accessed because of this vulnerability.”
The vulnerability was discovered by a security company named Wiz, which hyperbolically described it as “the worst cloud vulnerability you can imagine.” As Han Solo once noted, however, “I don’t know, I can imagine quite a bit.”
“Customers like Coca-Cola, Exxon-Mobil, and Citrix use Cosmos DB to manage massive amounts of data from around the world in near real-time,” a Wiz blog post about its discovery explains. “A series of flaws in a Cosmos DB feature created a loophole allowing any user to download, delete, or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB.”
Wiz named the flaw “#ChaosDB,” and claims that exploiting it was “trivial.” Microsoft paid the firm $40,000 for its discovery.
“We fixed this issue immediately to keep our customers safe and protected,” Microsoft added. “We thank the security researchers for working under coordinated vulnerability disclosure.”