Microsoft publicly acknowledged an inadvertent exposure of its internal data, precisely the backups of workstation profiles and Teams messages of two former employees. Crucially, the tech giant assured that the incident did not expose any customer data.
The story unfolded after Wiz, a cloud security startup, stumbled upon a GitHub repository belonging to Microsoft’s AI research division. A member of the division was found to have inadvertently shared a URL in a public GitHub repository while contributing to open-source AI learning models.
According to Microsoft, “This URL included an overly-permissive Shared Access Signature (SAS) token for an internal storage account.” Wiz security experts then leveraged this token to access the data residing within the storage account.
The Redmond based company was quick to assert in a blog post, “No customer data was exposed, and no other internal services were put at risk because of this issue.” Sharing Access Signature, or SAS, tokens serve as a conduit to restrict and permit certain clients to connect with specific Azure Storage resources.
The exposed SAS token was inserted into a blob store URL by an unsuspecting Microsoft researcher while donating to open-source AI learning models. The URL, complete with the SAS token, was subsequently posted in a public GitHub repository.
The tech giant stated, “There was no security issue or vulnerability within Azure Storage or the SAS token feature.” Essentially, the incident was a consequence of mishandling secrets such as SAS tokens, rather than any inherent flaw in the Azure Storage or the SAS protocol. Microsoft also highlighted its continuous efforts to enhance the security surrounding the SAS token feature and reassess the service to fortify its secure-by-default posture.
The data that was unwittingly exposed comprised unique information linked to two former Microsoft employees and their respective workstations. Despite the sensitivity of the incident and its potential implications, Microsoft maintained that its customers were safe and faced no impending action, “Customers do not need to take any additional action to remain secure,” as per the company.