Microsoft passwords and keys exposed through misconfigured Azure storage

38TB of exposed data included passwords for Microsoft services, secret keys and conversations

Microsoft passwords and keys leaked through misconfigured Azure storage

Image:
Microsoft passwords and keys leaked through misconfigured Azure storage

The unintentional exposure started in July 2020 when Microsoft's AI research division contributed open source AI learning models to a publicly accessible GitHub repository.

It was only detected recently when researchers from cloud security provider Wiz Research conducted scans of the internet to identify exposed storage accounts.

The researchers found that on the affected GitHub page, a Microsoft employee had generated a URL that allowed visitors to the software repository to download AI models stored in an Azure storage container.

Unfortunately, this link had been misconfigured, inadvertently granting access to the entire private storage instance, and exposing sensitive files and data to the public.

The scans conducted by Wiz Research revealed that Azure storage container held a staggering 38TB of data, including critical information such as passwords for Microsoft services, secret keys, and 30,000 internal Microsoft Teams messages exchanged between 359 Microsoft employees.

According to the researchers, a potential attacker could have injected malicious code into all the AI models within the compromised storage account. This could have resulted in every user who relied on Microsoft's GitHub repository being exposed to the infection.

Wiz reported the incident to the Microsoft Security Response Center (MSRC) on 22nd June 2023.

In response, MSRC revoked the SAS token on 24th June, effectively blocking all external access to the Azure storage account and successfully mitigating the issue.

Microsoft officially confirmed the information provided in the Wiz advisory, acknowledging that the company initiated contact with Microsoft through the coordinated vulnerability disclosure process.

"Data exposed in this storage account included backups of two former employees' workstation profiles and internal Microsoft Teams messages of these two employees with their colleagues," the MSRC team said in its report.

"No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue."

Microsoft attributed the data exposure to the use of an overly permissive Shared Access Signature (SAS) token, which granted unrestricted control over the shared files.

This Azure feature facilitates data sharing but was described by Wiz researchers as posing challenges when it comes to monitoring and revoking access. Insufficient monitoring and governance of SAS tokens presents a security risk, emphasising the importance of restricting their usage to the bare minimum necessary.

"These tokens are very hard to track, as Microsoft does not provide a centralised way to manage them within the Azure portal," the researchers said.

Furthermore, these tokens can be configured to have an indefinite lifespan, with no upper limit on their expiration time, the researchers noted.

"Therefore, using Account SAS tokens for external sharing is unsafe and should be avoided."

In recent years, the storage services provided by major cloud providers have increasingly become a subject of interest for both researchers and attackers.

As an example, in 2020, a half-million documents associated with a financial app were inadvertently exposed due to a misconfigured Amazon Web Services S3 bucket.

In September last year, the threat intelligence firm SOCRadar identified another misconfigured Azure Blob Storage bucket associated with Microsoft.

This particular bucket held sensitive data stored in files dating from 2017 to August 2022 and was linked to more than 65,000 entities spanning 111 different countries.

Microsoft is currently under investigation by the US Department of Homeland Security's Cyber Safety Review Board (CSRB) as part of a probe into cloud security. This follows an incident earlier this year in which hackers, purportedly acting on behalf of the Chinese governmnet, obtained access to one of its cryptographic keys. After exploiting a coding vulnerability, the hackers managed to exploit broad access to the company's Exchange cloud email platform.