An incident involving a misconfigured file-sharing link has resulted in the exposure of private Microsoft data. The incident was brought to light by cloud data-security firm Wiz, which discovered that a Shared Access Signature (SAS) token, used to grant access to a private data repository, was misconfigured, allowing attackers to gain access to the entire storage bucket.
The affected repository belonged to Microsoft’s AI research division, which directed users to download open source images and code from the Azure Storage bucket via the SAS link. However, due to the misconfiguration, sensitive files and data were inadvertently made public.
According to Ami Luttwak, the chief technology officer and co-founder of Wiz, this incident highlights the potential risks associated with using SAS links. Luttwak expressed concern over the possibility of users mistakenly sharing an entire storage account, potentially leading to remote execution.
This incident is not an isolated case. In recent years, major cloud providers have increasingly become targets for both researchers and attackers. Similar data exposure incidents have been reported involving misconfigured Amazon Web Services (AWS) S3 buckets, where hundreds of thousands of documents related to a financial app were exposed. Thousands of US veterans and millions of subscribers to Time-Warner Cable also had their sensitive data exposed due to misconfigured AWS S3 buckets. Microsoft Azure has also had its share of security vulnerabilities, with a security firm discovering potential data compromise due to a misconfigured cloud storage endpoint.
Microsoft confirmed the details of the incident and stated that no customer data was exposed, and no other internal services were at risk. However, backups of two former employees’ workstation profiles and internal Microsoft Teams messages were compromised. Microsoft acknowledged the incident through its Microsoft Security Response Center (MSRC) and assured users that no action was required on their part.
The SAS feature of Azure allows users to grant specific access to files and resources in their storage account. However, monitoring the permissions granted by employees remains a challenge. Without visibility into the tokens created, security teams have no way to monitor or govern them effectively.
Wiz is not the only company to highlight the risks associated with the Azure share-by-link mechanism. Security assessments have frequently identified insecure Azure Storage Accounts. Default deployments often lack the necessary level of controls, emphasizing the need for explicit configuration by the IT team.
To mitigate the risks associated with SAS tokens, Wiz recommends avoiding their use altogether for sharing files from private cloud storage accounts. Instead, companies should have a separate public storage account dedicated to sharing resources. By adopting this approach, the risk of misconfiguration can be significantly reduced.
For companies that still choose to share specific files from private storage using SAS URLs, Microsoft has added new capabilities as part of GitHub’s monitoring of credential and secret exposure. The company has rescanned all repositories to ensure the security of shared files.
Microsoft advises Azure users to limit themselves to short-lived SAS tokens, follow the principle of least privilege, and have a revocation plan in place. By handling SAS tokens appropriately and following best practices, the risk of unintended access or abuse can be minimized.
The incident serves as a reminder of the potential security missteps when using file-sharing links and underscores the need for stringent security measures to protect sensitive data stored in the cloud.