Microsoft fixed a security issue that left internal company documents and login details open on the internet. Can Yoleri, Murat Özfidan, and Egemen Koçhisarlı, who are security experts at SOCRadar, a firm that looks for security risks for businesses, found an unprotected storage server on Microsoft’s Azure cloud service. This server had inside information about Microsoft’s Bing search engine.
The Azure storage server contained codes, scripts, and setup files with passwords, keys, and login details. Microsoft workers used these to get into other internal databases and systems.
However, the storage server did not have a password and was open for anyone on the internet to access.
Yoleri mentioned to TechCrunch that the data out in the open might let harmful individuals figure out or get into other spots where Microsoft keeps its inside documents. Identifying those storage locations “could result in more significant data leaks and possibly compromise the services in use,” Yoleri said.
The researchers told Microsoft about the security mistake on February 6, and Microsoft made the leaking files safe on March 5.
When contacted by email, a Microsoft spokesperson didn’t give a response by the publication time. A statement was given after the publication on Wednesday.
Microsoft’s Jeff Jones told TechCrunch: “Though the credentials should not have been exposed, they were temporary, accessible only from internal networks, and disabled after testing. We thank our partners for responsibly reporting this issue.”
Jones didn’t mention how long the cloud server was open to the internet or whether anyone besides SOCRadar found the data that was exposed.
This is another security slip-up at Microsoft as the company works to regain its customers’ trust following various cloud security events in the past few years. In a similar incident last year, researchers discovered that Microsoft employees were accidentally sharing their corporate network login details in code posted on GitHub.
Last year, Microsoft faced criticism after admitting it was unaware of how hackers, supported by China, managed to obtain an internal email signature key. This key gave the hackers wide-ranging access to Microsoft-hosted email accounts of top U.S. government officials.
A report released last week by a group of independent cybersecurity experts, who were looking into the email hack, stated that the hackers were successful due to multiple security oversights at Microsoft.
In March, Microsoft announced it was actively fighting against a continuing cyberattack. This attack, carried out by hackers backed by the Russian government, involved stealing parts of Microsoft’s source code and internal emails from the company’s top executives.
What we think?
I think Microsoft will work harder on security now. They’ll check everything more carefully to keep their data safe. People might be upset for a while, but if Microsoft shows they’re fixing things, trust might come back.
Security mistakes happen, but it’s important how a company fixes them. I hope no one bad found the data before it was secured. Keeping information safe is really important for everyone.