Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







Microsoft’s 38 Terabyte Mishap

What Happened

Microsoft AI researchers accidentally exposed 38 terabytes of confidential data on the Microsoft AI GitHub repository.

The exposed data included open-source training data, a disk backup of two former employees’ workstations, which contained secrets, keys, passwords, and over 30,000 internal Teams messages.

The security company Wiz reported the issue to Microsoft on June 22, 2023, highlighting the risks associated with the Azure share-by-link mechanism. Wiz emphasized the need for monitoring and governance over Account SAS tokens to ensure proper security.

How It Happened

The exposure was a result of an overly permissive SAS token, an Azure feature that allows users to share data in a way that is difficult to track and revoke.

The security breach occurred when publishing a bucket of open-source training data, which made the data public.

The SAS token, used for sharing data securely, was misconfigured and allowed unauthorized access.

The entire storage account was accessible with full control permissions, exposing sensitive data before it was taken down.

Timeline shared by Wiz:

  • Jul. 20, 2020 – SAS token first committed to GitHub; expiry set to Oct. 5, 2021
  • Oct. 6, 2021 – SAS token expiry updated to Oct. 6, 2051
  • Jun. 22, 2023 – Wiz Research finds and reports issue to MSRC
  • Jun. 24, 2023 – SAS token invalidated by Microsoft
  • Jul. 7, 2023 – SAS token replaced on GitHub
  • Aug. 16, 2023 – Microsoft completes internal investigation of potential impact
  • Sep. 18, 2023 – Public disclosure
About SAS

Shared Access Signatures (SAS) is a feature in Azure that allows users to grant specific access to specific files and resources in their storage account.

SAS tokens provide fine-grained control over the resources that can be accessed, the permissions granted, and the duration of the token’s validity. There are three different types of SAS tokens: user delegation, service, and account SAS tokens.

The lack of monitoring and governance over Account SAS tokens can pose security risks. It is challenging to track and manage the permissions granted to resources, making it difficult for security teams to ensure proper governance.

How to Prevent Similar Accidents

Organizations should follow best practices provided by Microsoft in their security advisory to minimize the risk of unintended access or abuse.

Here is a brief summary:

Just like any secret, SAS tokens need to be created and handled appropriately.

Azure Storage recommends the following Best Practices when working with SAS URLs:

  • Apply the Principle of Least Privilege
  • Use Short-Lived SAS
  • Handle SAS Tokens Carefully
  • Have a Revocation Plan
  • Monitor and Audit Your Application”

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.

-
00:00
00:00
Update Required Flash plugin
-
00:00
00:00