38 Terabytes. That’s the amount of storage it takes to store 7600 hours of HD video, enough to watch for 316 days without repeating anything.
It’s also the amount of private company data that Microsoft AI researchers accidentally exposed, including over 30,000 internal Teams messages, according to cloud security company Wiz.
The Microsoft Azure Leak
A Microsoft-owned GitHub repository, named robust-models-transfer, was set up by Microsoft’s AI research devision, and was intended for use in AI image recognition. In the repository, users were instructed to download AI models from an Azure storage link. What Microsoft wasn’t aware of, however, was that the Azure URL shared in the repository granted root access to the entire Azure storage account. This mistake, according to Wiz, was a result of a misconfigured SAS (Shared Access Signature) Token, which can allow users to easily share permissions through simply sending a link to a collaborator. However, instead of the typical read-only permissions, according to Wiz, the token “was configured to grant permissions on the entire storage account, exposing additional private data by mistake.”
According to Wiz, the Azure token allowed full access to the storage account for 3 years before the token was invalidated manually on June 24, 2023. Microsoft completed their investigation into the data leak on August 16, 2023, and “no customer data was exposed, and no other internal services were put at risk because of this issue,” the Microsoft Security Response Center reported.
How to Prevent Azure Data Leaks
Wiz recommends that users stray away from using SAS entirely due to the concerns about their management and trackability. “There isn’t any official way to keep track of these tokens within Azure, nor to monitor their issuance, which makes it difficult to know how many tokens have been issued and are in active use.” It’s recommended that users take several steps in order to prevent similar leaks, including:
- Consider utilizing Service SAS tokens with Stored Access Policies for external sharing.
- For time-limited sharing needs, opt for User Delegation SAS tokens.
- Establish separate storage accounts dedicated to external sharing to limit the potential impact of over-privileged tokens to external data only.
- Use a CSPM solution to enforce and monitor SAS token access policies across your organization.
- To eliminate SAS tokens entirely, disable SAS access for each storage account separately.
- Block access to the “list storage account keys” operation in Azure to prevent unauthorized access to account keys.
- Rotate the account keys periodically to invalidate pre-existing SAS tokens.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –