Tue, Oct 15 2024
Microsoft has fixed a security flaw that left internal business files and login information vulnerable to public access.
A storage server hosted on Microsoft's Azure cloud service was found to be open and public by security researchers Can Yoleri, Murat Özfidan, and Egemen Koçhisarlı of SOCRadar, a cybersecurity firm that assists organizations in identifying security flaws. The server contained internal Microsoft Bing search engine data.
Code, scripts, and configuration files with passwords, keys, and other credentials that Microsoft workers used to access other corporate databases and systems were stored on the Azure storage server.
However, the storage server itself had no password protection, making it accessible to everyone with an internet connection.
Yoleri told TechCrunch that the exposed data could potentially help malicious actors identify or access other places where Microsoft stores its internal files. Identifying those storage locations “could result in more significant data leaks and possibly compromise the services in use,” Yoleri said.
The researchers notified Microsoft of the security lapse on February 6, and Microsoft secured the spilling files on March 5.
It’s not known for how long the cloud server was exposed to the internet, or if anyone other than SOCRadar discovered the exposed data inside. When reached by email, a spokesperson for Microsoft did not provide comment by the time of publication. Microsoft did not say if it had reset or changed any of the exposed internal credentials.
This is Microsoft's most recent security blunder as it works to win back consumer confidence following a string of cloud security mishaps in recent years. Researchers discovered that Microsoft workers were disclosing their personal business network logins in code uploaded to GitHub in a similar security breach that occurred the previous year.
Microsoft faced criticism last year as well after acknowledging that it had no idea how hackers with Chinese support had obtained an internal email signature key, which gave the hackers complete access to senior American government officials' Microsoft-hosted inboxes. The email leak was the result of a "cascade of security failures at Microsoft," according to a study released last week by an independent board of cyber specialists tasked with examining it.
Microsoft announced in March that it was still battling an ongoing cyberattack that gave hackers with Russian state support access to parts of the company's source code and private emails sent by Microsoft corporate officials.
Leave a Comment