Microsoft Azure Cosmos DB consists of loopholes that enable anyone to access and modify its database, exposing several user data.
FREMONT, CA: A couple of months back, a giant security vendor announced that it had identified the worst cloud vulnerability one could possibly imagine in Microsoft Azure's Managed Database Services. The vulnerability has exposed thousands of your customers in the past two years, including several fortune 500 companies. The vulnerability e was detected within Microsoft Azure Cosmos DB, a comprehensively managed NoSQL database service dedicated to app development. The database guarantees single-digit milliseconds response time, automatic and instant scalability at very high speeds. Being a fully managed service, Azure Cosmos DB eliminates manual administrative works and allows automatic management update and patching processes. The database also efficiently handles capacity management with serverless and automatic scaling capabilities.
A long trail of flaws in the Cosmos DB created a loophole allowing hackers to download, delete, or manipulate the database as well as read-write access to the underlying architecture of Cosmos DB. The vulnerabilities underscored several possible methods for cybercriminals to carry out malicious activities and gain the primary digital keys of several users from the database. This could also be considered a holy grail for attackers. The loophole allows them to read, write, delete, and steal any data from the database without encountering many risks.
The vulnerability came through a new visualization feature that Microsoft had added back in 2019 in its Jupyter notebooks. This feature was automatically applied across all Cosmos DB e uses in February this year. Cosmos DB is utilized by several major companies such as Liberty mutual, Skype, Symantec, and Citrix. Microsoft announced that it had medicated the vulnerability and started an investigation. The company also confirmed that its internal findings indicated that no customer data was accessed because of this loophole, and the associated customers have been notified. Microsoft highlighted that this vulnerability only affected a subset of customers who enabled the feature in their Jupyter notebook.