Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Microsoft Privacy

Microsoft Employees Exposed Internal Passwords In Security Lapse (techcrunch.com) 24

Zack Whittaker and Carly Page report via TechCrunch: Microsoft has resolved a security lapse that exposed internal company files and credentials to the open internet. Security researchers Can Yoleri, Murat Ozfidan and Egemen Kochisarli with SOCRadar, a cybersecurity company that helps organizations find security weaknesses, discovered an open and public storage server hosted on Microsoft's Azure cloud service that was storing internal information relating to Microsoft's Bing search engine. The Azure storage server housed code, scripts and configuration files containing passwords, keys and credentials used by the Microsoft employees for accessing other internal databases and systems. But the storage server itself was not protected with a password and could be accessed by anyone on the internet.

Yoleri told TechCrunch that the exposed data could potentially help malicious actors identify or access other places where Microsoft stores its internal files. Identifying those storage locations "could result in more significant data leaks and possibly compromise the services in use," Yoleri said. The researchers notified Microsoft of the security lapse on February 6, and Microsoft secured the spilling files on March 5. It's not known for how long the cloud server was exposed to the internet, or if anyone other than SOCRadar discovered the exposed data inside.

This discussion has been archived. No new comments can be posted.

Microsoft Employees Exposed Internal Passwords In Security Lapse

Comments Filter:
  • Didn't we already go through this on Amazon S3 years ago... people storing credentials in a bucket that has "publicly accessible" enabled?

    Funny how we just keep repeating the same mistakes over and over...

    • Re: (Score:2, Funny)

      by PPH ( 736903 )

      repeating the same mistakes over and over...

      "Why do you keep beating your head against the wall?"

      "Because it feels so good when I stop."

      • by Tablizer ( 95088 )

        MS could leak everything on 5th Ave. and still be the dominant business platform. Entrenchment runs deep.

      • Microsoft self-admits that its cloud is too complex, too easy to miss security issues, .....

        Azure Aspire is their attempt to rebrand Azure services and cut off the trail of bad news about Azure security and configuration (DLL) hell.

        https://learn.microsoft.com/en... [microsoft.com]

        The cloud means that any full-stack developer eventually is forced to be, pick your career path, on a project: 1) a developer, 2) A back-end developer, 3) A network admin, 4) A firewall admin, 5) A database administrator, 6) An IT operations guru,

    • Yes and for quite some time already it's been VERY difficult to 'accidentally' make your bucket public. You literally have to make about 5 explicit clicks to do so.

      So in this case, questions have to be asked about how it is possible? Either Azure doesn't have such default settings, in which case - why not? But if it does, then how the fuck do MS engineers be so moronic to go and make it public? (yes the last one is a rhetorical question :P )

      • by sodul ( 833177 )

        See the cisa link below for the why.

        The answer is a bit similar to why Boeing design aircrafts that fly towards the ground and fall apart mid flight: safety and security are not the things that get the projects out of the door on time, especially when the original planning did not explicitly account for them because they add cost.

        At some point cyber insurance companies will refuse to insure companies relying on Microsoft stack due to the abysmal security culture. For those that refuse to give money to AWS t

        • by gweihir ( 88907 )

          At some point cyber insurance companies will refuse to insure companies relying on Microsoft stack due to the abysmal security culture.

          That has already started to happen. At the moment it is quietly done, but I talked to the risk modeller responsible for IT insurance at a major insurance provider a few months back. If your infrastructure is pure MS at least they look very carefully at your capabilities to keep that secure and they likely will give you additional requirements in order to get an offer. They also have quite a few requests for insurance now where they do _not_ make an offer.

      • by EvilSS ( 557649 )
        Azure storage accounts, like all Azure SaaS products*, are public by default. Unfortunately MS made they way you access SaaS services without making them public overly complicated and it requires some networking and DNS work in addition to just setting up the storage account, so many places leave them public, which annoys me to no end.

        However they are not anonymous access by default and you need to explicitly configure them to be so.

        *In Azure, storage accounts are SaaS as they don't actually 'run' in the
    • by Entrope ( 68843 )

      Didn't you get the memo? Instead of doing something risky like putting your passwords in a file on your cloud, you're supposed to securely record them on a sticky note stuck to your monitor.

  • by gweihir ( 88907 ) on Wednesday April 10, 2024 @09:41PM (#64385234)

    These days, it is an exception if MS gets something right in the security space. Or any space, really. I reccomend reading
            https://www.cisa.gov/sites/def... [cisa.gov]
    for a chronicle of incompetence, arrogance, incapability, non-understanding and lying to customers. It contains such gems as MS still not knowing how the keys to their kingdom got stolen last year.

  • by Ambigwitty ( 10261124 ) on Thursday April 11, 2024 @12:20AM (#64385430)

    Pretty sure I've seen scans catch stuff like this, kind of curious. Although.. I've seen a password on a whiteboard that nobody seemed to care about for weeks too. Anybody passing by outside could easily see it looking from the sidewalk. When I asked about it, I got shrugged at. After the boss finally noticed, it quickly disappeared.

    Having seen how projects ramp up at MS, perhaps this speaks to a need for mandatory templating of scaffolding, locking in some settings, for stuff like this. Very likely that if it doesn't show profit potential immediately and obviously, it's not on the radar there.

    • by Anonymous Coward
      having worked at MS it already has very clear guidelines for credential handling and what is done here is a clear violation. would not be surprised if their was serious blowback on whoever was responsible for this as such breaches they take very seriously with annual training around this stuff.
    • by gweihir ( 88907 )

      It probably violates a number of policies. But security is not about having policies, it is about caring about security and having the understanding and education to do it right. MS does not have that.

      • Re: (Score:2, Insightful)

        MS does not have that.

        Always with the FUD. Never with the facts.

        There is nothing anyone can do abouit intentional idiots, except for cripping their access in such a way that they simply cannot do anything. Which is not going to get anything delivered.

        But mayb e in the magical Utopia you reside in this is sorted using... fairy dust?

        • by gweihir ( 88907 )

          MS has time and again proven that they have no security culture (and no reliability culture either). That is not FUD. That is observable fact. Oh, sure, they _pretend_ to care about security and those weak of mind get fooled by that bunch of lies, but the facts tell a different story.

    • by lannocc ( 568669 ) <lannocc@yahoo.com> on Thursday April 11, 2024 @11:07AM (#64386722) Homepage
      From the sidewalk? So once again, we can blame Microsoft windows.
  • You should have to jump through so many hoops and perhaps sacrifice a chicken, to make some cloud repository public.
  • Anyone else remember back when Microsoft used to regularly forget and let their domain registrations lapse and make a joke and even a contest of it when "regular civilians" would renew the registrations for them? Good times. This is the company you're expecting security from. lol.

Arithmetic is being able to count up to twenty without taking off your shoes. -- Mickey Mouse

Working...