IANS | 18 Sep, 2023
Microsoft on Monday admitted that backups of two former employees’
workstation profiles and internal Microsoft Teams messages of these two
employees with their colleagues were exposed accidentally, adding that
no customer data was exposed.
The admission came as cloud security
startup Wiz discovered a GitHub repository belonging to Microsoft’s AI
research division as part of its work into the accidental exposure of
cloud-hosted data.
After identifying the exposure, Wiz reported the issue to the Microsoft Security Response Center (MSRC).
The
tech giant investigated and remediated the incident involving a
Microsoft employee who shared a URL for a blob store in a public GitHub
repository while contributing to open-source AI learning models.
“This
URL included an overly-permissive Shared Access Signature (SAS) token
for an internal storage account. Security researchers at Wiz were then
able to use this token to access information in the storage account,”
said Microsoft.
“No customer data was exposed, and no other
internal services were put at risk because of this issue,” the tech
giant said in a blog post.
SAS tokens provide a mechanism to restrict access and allow certain clients to connect to specified Azure Storage resources.
In
this case, a researcher at Microsoft inadvertently included this SAS
token in a blob store URL while contributing to open-source AI learning
models and provided the URL in a public GitHub repository.
“There
was no security issue or vulnerability within Azure Storage or the SAS
token feature. Like other secrets, SAS tokens should be created and
managed properly. Additionally, we are making ongoing improvements to
further harden the SAS token feature and continue to evaluate the
service to bolster our secure-by-default posture,” Microsoft noted.
The
information that was exposed consisted of information unique to two
former Microsoft employees and these former employees’ workstations.
“Customers do not need to take any additional action to remain secure,” said the company.