Researchers from Microsoft's AI division accidentally exposed 38 terabytes of sensitive data while publishing open-source training data on GitHub.
That’s according to research by the security startup Wiz, who discovered a trove of data, including private keys, passwords and over 30,000 internal Teams messages, in a Mircosoft GitHub repository while researching the accidental exposure of cloud-hosted data.
The repository was only meant to provide access to open-source code and AI models for image recognition. But Wiz said the Azure Storage URL was accidentally misconfigured to grant permissions on the entire account.
“Our scan shows that this account contained 38TB of additional data – including Microsoft employees’ personal computer backups,” the report by Wiz reads.
“The backups contained sensitive personal data, including passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees.”
Misconfigured SAS token
Wiz said the exposed data derives from Microsoft’s use of a Shared Access Signature (SAS) token – a signed URL that grants users access to Azure Storage data.
SAS are flexible tools allowing for a high degree of customisation from the user, enabling permissions from read-only to full control and expiry times which can be set effectively to forever.
Microsft’s SAS token, however, was misconfigured to allow “full control” rather than “read-only” permissions, meaning that anyone could potentially delete, replace and inject malicious content into the repository. This meant that the SAS URL had been exposing Microsoft’s data since 2020.
In addition to the overly permissive access scope, the token was also misconfigured to allow 'full contro'” permissions instead of read-only. Not only could an attacker view all the files in the storage account, but they could delete and overwrite existing files as well.
After Wiz reported the incident, Microsoft invalidated the SAS token and replaced it. While it scans public-facing repositories for its accounts, the tech giant said in a blog post that the specific SAS URL found by Wiz was incorrectly marked as a false positive.
“No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue,” Microsoft said.
“There was no security issue or vulnerability within Azure Storage or the SAS token feature. We are making ongoing improvements to further harden the SAS token feature and continue to evaluate the service to bolster our secure-by-default posture.”
However, Wiz warned that SAS tokens still pose a security risk for companies that use them.
“Due to a lack of monitoring and governance, SAS tokens pose a security risk, and their usage should be as limited as possible. These tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal,” the security firm added.
“In addition, these tokens can be configured to last effectively forever, with no upper limit on their expiry time. Therefore, using Account SAS tokens for external sharing is unsafe and should be avoided.”
IoT Tech Expo is the leading event for IoT, Digital Twins & Enterprise Transformation, IoT Security IoT Connectivity & Connected Devices, Smart Infrastructures & Automation, Data & Analytics and Edge Platforms.
Taking place on 26-27 September 2023 in Rai, Amsterdam, this year's event delves deep into the promise of IoT, exploring the benefits pitfalls and trends that come with understanding the digital transformation process for embracing this technology.
Attendees for the event include CTOs, CIOs, CEOs, Heads of Innovation and Technology, IT Directors, Developers, start-ups, OEMs, Government, Automotive, Operators, Technology Providers, Investors, VCs and many more.
