Microsoft

Microsoft AI Researchers Accidentally Leaked 38 Terabytes of Private Data

In a recent security incident, Microsoft AI researchers inadvertently exposed 38 terabytes of sensitive data on GitHub.

The breach was caused by an overly permissive Shared Access Signature (SAS) token included in the URL.

The breach was discovered by cybersecurity firm Wiz and reported to Microsoft on June 22, 2023. Ultimately, the Tech giant took action, revoking the SAS token two days later, on June 24.

Microsoft
Source: Wiz

The GitHub Repository and Data Exposure

The breach was associated with a GitHub repository owned by Microsoft’s AI research division.

This repository was intended to provide open-source code and AI models for image recognition.

However, a critical security flaw led to unintended consequences.

Users were instructed to download models from an Azure Storage URL, but this URL was configured to grant permissions to the entire storage account, exposing additional private data.

Among the exposed data were the personal backups of two former company employees’ personal computers.

This included a treasure trove of sensitive information, including passwords for Microsoft services, secret keys, and over 30,000 internal messages from hundreds of employees using Teams.

Microsoft
Exposed containers (Source: Wiz)

Role of Shared Access Signatures (SAS) Tokens

The breach resulted from an overly permissive Shared Access Signature (SAS) token included in the URL.

SAS tokens are mechanisms used by Azure to create shareable links granting access to data stored in Azure Storage accounts.

In this case, the misconfiguration of the SAS token allowed not only read access but also “full control” permissions, enabling potential attackers to delete, replace, and inject malicious content into the data.

Response From Microsoft

Upon discovering the breach, Wiz promptly reported the issue to Microsoft on June 22, 2023.

The Tech giant took swift action, revoking the SAS token two days later, on June 24.

Following an investigation, Microsoft stated that no customer data was exposed and no other internal services were compromised.

In response to the incident, Microsoft announced measures to prevent similar occurrences. It expanded GitHub’s secret scanning service to include monitoring SAS tokens with overly permissive settings.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Photo by Ed Hardie on Unsplash

19 Year Old Spanish Hacker Arrested for Stealing Sensitive Data of Over Half a Million Taxpayers and Boasting About It on Podcast

Cybersecurity Incident Halts DP World Australia Ports Operations

Hello Cybersecuriters!

Cybersecurity Breach Hits Idaho National Laboratory (INL)