Microsoft and Wiz.io Researchers Uncover Data Leak Risk in Azure Tokens
A recent vulnerability disclosure by Microsoft and cloud security specialists Wiz.io has shed light on the risks associated with oversharing data privileges when it comes to Azure Tokens. The coordinated effort aims to address the issue of shared access signature (SAS) tokens and the potential data leaks they can cause.
In June 2023, an unintentional data leak occurred due to an employee inadvertently sharing an overly permissive SAS token in a public GitHub repository. While working on an open source artificial intelligence learning model, the employee referenced an Azure Blob store and unknowingly exposed sensitive information. This mistake resulted in the mishandling of a token that could be used to access the entire storage account, which contained 38TB of data, including sensitive employee data.
SAS tokens come with inherent vulnerabilities that make it easy for users to manipulate access levels and expiry times. Additionally, once these privileges have been granted, it becomes challenging for administrators to revoke them. The researchers at Wiz.io, Hillai Ben-Sasson and Ronny Greenberg, emphasize that the security and governance surrounding account SAS tokens should be treated with the same level of sensitivity as the account key itself. They advise against using account SAS for external sharing due to the potential for easily overlooked token creation mistakes that can expose sensitive data.
Fortunately, Microsoft and Wiz.io discovered the data leak before it was exploited but decided to publish their findings to prevent similar incidents in the future. The report includes key learnings and best practices to inform customers and help them avoid such mistakes.
On a separate note, another data breach involving the popular MOVEit file transfer application has impacted Nuance Communications, Inc., a US-based business intelligence software company. Hackers took advantage of a bug in MOVEit to access customer data related to clinical documentation services provided to various health systems. The breach exposed names, medical information, and health insurance details of customers connected to health systems such as Atrium Health, Duke University Health System, Novant Health, and WakeMed. Nuance began notifying affected individuals on September 18.
In Australia, Pizza Hut experienced a data breach where unauthorized parties gained access to the personal information of nearly 200,000 customers. The breach is attributed to the Shiny Hunters. The compromised data includes customer names, delivery addresses, instructions, email addresses, and contact numbers. However, paycard information and government identification data are not believed to be at risk.
Experts have highlighted the potential risks associated with the stolen data, particularly the hashed passwords. Although the passwords were encrypted, the hashing algorithm could potentially be deciphered. Consequently, customers are advised to change their passwords across all systems, particularly if they have used the same password elsewhere. Creating strong, unique passwords and utilizing password managers can enhance security. Users are also encouraged to monitor their credit card statements, remain cautious of phishing attempts, and promptly report any suspicious activity.
Overall, these incidents underscore the need for robust security measures to protect sensitive data. Implementing best practices, such as minimizing the oversharing of access privileges and regularly updating passwords, can significantly mitigate the risk of data breaches.
Sources:
– Microsoft and Wiz.io vulnerability disclosure
– Nuance Communications data breach notice
– Pizza Hut data breach incident
