Microsoft’s 38TB Data Fiasco

by

It’s not every day you stumble upon a treasure trove of secrets. But
that’s precisely what happened when a Microsoft researcher, probably multitasking
between coding and binge-watching cat videos, shared a URL on a public GitHub repository. Little did they know, they
were about to gift the world 38TB of Microsoft’s deepest data secrets.

Picture this: June 2023, a Microsoft researcher innocently shares a URL
on a public GitHub repository while contributing to an open-source AI model.
Harmless, right? Wrong. The URL contained a “shared access signature”
(SAS) token, and this wasn’t your average token.

SAS tokens, designed to restrict access to Azure Storage (part of
Microsoft’s cloud offering), are like the wild cards in a deck of otherwise
predictable playing cards. They’re flexible, and herein lies the rub. Users can
customize access levels, adjust expiry times, and essentially create tokens
that never expire – our star token was valid till 2051, a good 28 years from
now. You can learn all about them here,
courtesy of Microsoft. Perhaps read on first, though.

Now, here’s where we go from mild mishap to serious problem. This
particular SAS token, configured with the techy finesse of a bull in a china
shop, granted access across an entire storage account. A storage account that
happened to house 38TB of data, including sensitive employee information,
secret keys, and internal team messages. Oops.

Keys to the kingdom?

Thankfully, it wasn’t all doom and gloom. The brilliant minds at Wiz.io, a cloud security firm, discovered the
mishap and joined forces with Microsoft to contain the chaos. In a coordinated vulnerability
disclosure report
, they revealed the mishap. The silver lining? No customer
data was exposed, and the incident has given Microsoft a valuable lesson. Now,
releasing the inside story after the problem has been resolved and fixed,
hopefully to never happen again, is common in the world of IT security – The eagle-eyed
among you will have noticed that this occurred in June, but the story’s only
recently been doing the rounds. However, it certainly sounds like Microsoft had
to jump when Wiz.io got on the phone and no doubt there were some hasty
apologies.

Microsoft acknowledged the blunder and promised to enhance its SAS
token feature. They also emphasized the importance of creating and managing
these tokens properly, just like guarding the keys to your kingdom.

The key takeaway from all of this is to not share your data in a public
space. We can’t believe we’ve had to write that, but there you go.

For more news and amusements, be sure to follow Trending.

It’s not every day you stumble upon a treasure trove of secrets. But
that’s precisely what happened when a Microsoft researcher, probably multitasking
between coding and binge-watching cat videos, shared a URL on a public GitHub repository. Little did they know, they
were about to gift the world 38TB of Microsoft’s deepest data secrets.

Picture this: June 2023, a Microsoft researcher innocently shares a URL
on a public GitHub repository while contributing to an open-source AI model.
Harmless, right? Wrong. The URL contained a “shared access signature”
(SAS) token, and this wasn’t your average token.

SAS tokens, designed to restrict access to Azure Storage (part of
Microsoft’s cloud offering), are like the wild cards in a deck of otherwise
predictable playing cards. They’re flexible, and herein lies the rub. Users can
customize access levels, adjust expiry times, and essentially create tokens
that never expire – our star token was valid till 2051, a good 28 years from
now. You can learn all about them here,
courtesy of Microsoft. Perhaps read on first, though.

Now, here’s where we go from mild mishap to serious problem. This
particular SAS token, configured with the techy finesse of a bull in a china
shop, granted access across an entire storage account. A storage account that
happened to house 38TB of data, including sensitive employee information,
secret keys, and internal team messages. Oops.

Keys to the kingdom?

Thankfully, it wasn’t all doom and gloom. The brilliant minds at Wiz.io, a cloud security firm, discovered the
mishap and joined forces with Microsoft to contain the chaos. In a coordinated vulnerability
disclosure report
, they revealed the mishap. The silver lining? No customer
data was exposed, and the incident has given Microsoft a valuable lesson. Now,
releasing the inside story after the problem has been resolved and fixed,
hopefully to never happen again, is common in the world of IT security – The eagle-eyed
among you will have noticed that this occurred in June, but the story’s only
recently been doing the rounds. However, it certainly sounds like Microsoft had
to jump when Wiz.io got on the phone and no doubt there were some hasty
apologies.

Microsoft acknowledged the blunder and promised to enhance its SAS
token feature. They also emphasized the importance of creating and managing
these tokens properly, just like guarding the keys to your kingdom.

The key takeaway from all of this is to not share your data in a public
space. We can’t believe we’ve had to write that, but there you go.

For more news and amusements, be sure to follow Trending.



Source link

Related Posts