Sign in / up

back to article Azure's now-fixed Cosmos DB flaw could have been exploited to read, write any database

Infosec outfit Wiz has revealed that Microsoft’s flagship Azure database Cosmos DB could have been exploited to grant any Azure user full admin access – including the ability to read, write, and delete data – to any Cosmos DB instance on Azure. Without authorization. For months. Wiz has named the flaw ChaosDB. “By exploiting …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    I don't know the details, but the fact that there is some sort of master-key at all sounds like a very serious design flaw. Makes me wonder how the service could even have passed a security review prior to launch. If I was using Azure I'd think this was a very worrying symptom. It would be interesting to know exactly what the f*ck-up was.

    7 1 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      CosmosDB is a pretend answer to Spanner, or even RDS. It's just there so MS can say they have an equivalent database to people with purchasing power, who won't know the difference.

      1 4 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Nonsense. Spanner is relational, while Cosmos DB is a document database with more in common with Mongo DB, Couchbase, Arango etc. If anything it's in competition with AWS Document DB most of all - Google is still playing catch-up in cloud databases with Amazon & Azure. Closest Google equivalent these days is probably Cloud Firestore.

        0 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          It's not nonsense. I know the difference between the database types. Point being that attributes such as "scale out" and "multimaster", when combined with "SQL API" (yes, that is the SQL-like language now preferred by CosmosDB, sigh) will make it sound to purchasers as though Azure has an answer to Spanner.

          0 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    Will Microsoft ever have cloud services that are safe to connect to the Internet?

    6 1 Reply
    1. katrinab Silver badge
      Reply Icon
      Trollface

      They do have a cloud service that is safe to connect to the internet

      https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-upload-openbsd

      Two of them in fact

      https://docs.microsoft.com/en-us/azure/virtual-machines/linux/freebsd-intro-on-azure

      4 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      They're as safe as people who use them - all the services have firewall controls on the public endpoints to lock down who can access them and the vast majority have AAD authentication option. That doesn't stop people who should know better from leaving public endpoints open and opting for unsafe authentication methods like access keys (as in this case), which by the way is equally possible in AWS. You can totally leave your S3 atorage bucket open to the internet with access keys of you feel like it.

      0 1 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        If you read the article, you'll see what the OP meant. It's not about user misconfiguration.

        0 0 Reply
  3. Smartypantz

    Ultimate supply chain attack

    Azure (and Amazon) are a global disaster waiting to happen.

    Its the ultimate target for a supply chain attack.., and it's just a matter of time before someone has enough patience to pull it off.

    1 0 Reply
  4. doug_bostrom

    Perhaps some of the budget directed to creative spelling could be repurposed to something more useful. How much did "Jupyter" cost, in meetings etc.?

    2 1 Reply
    1. ronkee
      Reply Icon

      It's an open source data science application, not a Microsoft trademark, not by Microsoft.

      2 0 Reply
    2. katrinab Silver badge
      Reply Icon
      Paris Hilton

      Jupyter is not a Microsoft product. It was started by Fernando Pérez, and so called because it supports the JUlia, PYThon, and R programming languages.

      2 0 Reply

  5. This post has been deleted by its author

  6. dgappy

    Like many cloud services, not only in Azure but AWS as well (the ubiquitous S3 storage for instance), in Cosmos the most basic form of access control uses secret "keys" to secure accounts.

    While this is a serious hack, the only accounts that are at risk of data breach are those that:

    a) are using basic key based access rather than RBAC with AD

    b) AND have enabled a public IP endpoint for their database

    c) AND have disabled all the firewall controls on that public endpoint

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like