Microsoft Azure Screw Up Leaves Databases Belonging To Fortune 500 Companies Unsecure….. Oops….

According to The Verge, Microsoft had a flaw in their Cosmos DB product that was kind of epic:

A flaw in Microsoft’s Azure Cosmos DB database product left more than 3,300 Azure customers open to complete unrestricted access by attackers. The vulnerability was introduced in 2019 when Microsoft added a data visualization feature called Jupyter Notebook to Cosmos DB. The feature was turned on by default for all Cosmos DBs in February 2021.

And who are those customers? Well:

listing of Azure Cosmos DB clients includes companies like Coca-Cola, Liberty Mutual Insurance, ExxonMobil, and Walgreens, to name just a few.

That’s not exactly a insigicant company list.

The company that discovered the flaw got paid $40,000 by Microsoft for finding it. And here’s what the company who found the flaw said:

“This is the worst cloud vulnerability you can imagine,” said Ami Luttwak, Chief Technology Officer of Wiz, the security company that discovered the issue. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”

I wonder how Microsoft is going to explain this screw up. Well, here’s how they tried to do so:

“There is no evidence of this technique being exploited by malicious actors,” Microsoft told Bloomberg in an emailed statement. “We are not aware of any customer data being accessed because of this vulnerability.”


In an update posted to the Microsoft Security Response Center, the company said its forensic investigation included looking through logs to find any current activity or similar events in the past. “Our investigation shows no unauthorized access other than the researcher activity,” said Microsoft.

Remember kids. The cloud is just someone else’s computer. And if you choose to use the cloud for sensitive or business critical activities, you need to trust that the cloud provider’s security is on point. And looking at this example, even Microsoft can screw this up. Thus you have to wonder if going to the cloud is really worth it.

Leave a Reply

%d bloggers like this: