News, 19.09.2023, 13:30 PM
Microsoft has inadvertently disclosed a huge amount of sensitive internal information dating back more than three years through a public GitHub repository.
Cloud data protection company Wiz discovered the privacy breach when it found the “robust-models-transfer” GitHub repository belonging to Microsoft’s AI research division.
Although the repository was only supposed to provide access to open source code and AI models for image recognition, the Azure storage URL was actually misconfigured to grant account-wide permissions, Wiz said.
“Our search shows that this account contains 38 TB of additional data – including backups of Microsoft employees’ personal computers. The backups contained sensitive personal information, including passwords for Microsoft services, secret keys, and more than 30,000 internal Microsoft Teams messages from 359 Microsoft employees,” Wiz said.
“In addition to the excessive scope of access allowed, the token was also misconfigured to allow ‘full control’ permissions instead of read-only.” Meaning, not only could the attacker see all the files on the storage account, but they could also delete and overwrite existing files.”
The cause of the problem appears to be Microsoft’s use of a Shared Access Signature (SAS) token – a signed URL that gives users access to Azure Storage data.
It is a tool that allows for a high degree of customization by the user, allowing permissions from read to full control and an expiration time that can effectively be set to forever. The original SAS token in this incident was first posted to GitHub in July 2020, and its expiration date was updated in October 2021 to 30 years from now.”
After Wiz reported the incident, Microsoft revoked and replaced the token.
“No customer data was exposed, and no other internal services were put at risk due to this issue,” Microsoft said. “No user action is required in response to this problem.”
However, Wiz warned that SAS tokens are an ongoing risk.
“Due to a lack of oversight and governance, SAS tokens pose a security risk, and their use should be as limited as possible.” These tokens are very difficult to track because Microsoft doesn’t provide a centralized way to manage them within the Azure portal,” says Wiz. “Additionally, these tokens can be configured to last forever, with no upper limit on their expiration time. Therefore, using SAS account tokens for external sharing is not secure and should be avoided.”
Photo: Salvatore De Lellis