Microsoft and Wiz.io Researchers Uncover Data Leak Risk in Azure Tokens

Date:

Microsoft and Wiz.io Researchers Uncover Data Leak Risk in Azure Tokens

A recent vulnerability disclosure by Microsoft and cloud security specialists Wiz.io has shed light on the risks associated with oversharing data privileges when it comes to Azure Tokens. The coordinated effort aims to address the issue of shared access signature (SAS) tokens and the potential data leaks they can cause.

In June 2023, an unintentional data leak occurred due to an employee inadvertently sharing an overly permissive SAS token in a public GitHub repository. While working on an open source artificial intelligence learning model, the employee referenced an Azure Blob store and unknowingly exposed sensitive information. This mistake resulted in the mishandling of a token that could be used to access the entire storage account, which contained 38TB of data, including sensitive employee data.

SAS tokens come with inherent vulnerabilities that make it easy for users to manipulate access levels and expiry times. Additionally, once these privileges have been granted, it becomes challenging for administrators to revoke them. The researchers at Wiz.io, Hillai Ben-Sasson and Ronny Greenberg, emphasize that the security and governance surrounding account SAS tokens should be treated with the same level of sensitivity as the account key itself. They advise against using account SAS for external sharing due to the potential for easily overlooked token creation mistakes that can expose sensitive data.

Fortunately, Microsoft and Wiz.io discovered the data leak before it was exploited but decided to publish their findings to prevent similar incidents in the future. The report includes key learnings and best practices to inform customers and help them avoid such mistakes.

See also  Artificial Intelligence (AI) Revolutionizes Africa's Potential: Unlocking Growth, Innovation, and Job Creation, Nigeria

On a separate note, another data breach involving the popular MOVEit file transfer application has impacted Nuance Communications, Inc., a US-based business intelligence software company. Hackers took advantage of a bug in MOVEit to access customer data related to clinical documentation services provided to various health systems. The breach exposed names, medical information, and health insurance details of customers connected to health systems such as Atrium Health, Duke University Health System, Novant Health, and WakeMed. Nuance began notifying affected individuals on September 18.

In Australia, Pizza Hut experienced a data breach where unauthorized parties gained access to the personal information of nearly 200,000 customers. The breach is attributed to the Shiny Hunters. The compromised data includes customer names, delivery addresses, instructions, email addresses, and contact numbers. However, paycard information and government identification data are not believed to be at risk.

Experts have highlighted the potential risks associated with the stolen data, particularly the hashed passwords. Although the passwords were encrypted, the hashing algorithm could potentially be deciphered. Consequently, customers are advised to change their passwords across all systems, particularly if they have used the same password elsewhere. Creating strong, unique passwords and utilizing password managers can enhance security. Users are also encouraged to monitor their credit card statements, remain cautious of phishing attempts, and promptly report any suspicious activity.

Overall, these incidents underscore the need for robust security measures to protect sensitive data. Implementing best practices, such as minimizing the oversharing of access privileges and regularly updating passwords, can significantly mitigate the risk of data breaches.

See also  ChatGPT Used by Scammers to Give Five-Star Ratings to Amazon Products

Sources:
– Microsoft and Wiz.io vulnerability disclosure
– Nuance Communications data breach notice
– Pizza Hut data breach incident

Frequently Asked Questions (FAQs) Related to the Above News

What is the recent vulnerability disclosure by Microsoft and Wiz.io about?

The recent vulnerability disclosure by Microsoft and Wiz.io highlights the risks associated with oversharing data privileges when it comes to Azure Tokens. It focuses on the issue of shared access signature (SAS) tokens and the potential data leaks they can cause.

How did the unintentional data leak occur in June 2023?

The unintentional data leak occurred when an employee inadvertently shared an overly permissive SAS token in a public GitHub repository. While working on an open source artificial intelligence learning model, the employee referenced an Azure Blob store and unknowingly exposed sensitive information.

How much data was potentially at risk in the mishandled SAS token incident?

The mishandling of the SAS token potentially exposed the entire storage account, which contained 38TB of data, including sensitive employee data.

What vulnerabilities are associated with SAS tokens?

SAS tokens come with inherent vulnerabilities that make it easy for users to manipulate access levels and expiry times. Once these privileges have been granted, it becomes challenging for administrators to revoke them.

What advice do the researchers provide regarding the use of account SAS for external sharing?

The researchers at Wiz.io advise against using account SAS for external sharing due to the potential for easily overlooked token creation mistakes that can expose sensitive data. They emphasize that the security and governance surrounding account SAS tokens should be treated with the same level of sensitivity as the account key itself.

Did the data leak in the Azure Tokens incident lead to any exploitation?

Fortunately, Microsoft and Wiz.io discovered the data leak before it was exploited. However, they decided to publish their findings to prevent similar incidents in the future.

What action did Nuance Communications take in response to the data breach involving the MOVEit file transfer application?

Nuance Communications, Inc. began notifying the affected individuals on September 18 after hackers took advantage of a bug in the MOVEit file transfer application to access customer data related to clinical documentation services provided to various health systems.

What types of data were exposed in the MOVEit file transfer application data breach?

The breach exposed names, medical information, and health insurance details of customers connected to health systems such as Atrium Health, Duke University Health System, Novant Health, and WakeMed.

What kind of data breach did Pizza Hut experience?

Pizza Hut experienced a data breach where unauthorized parties gained access to the personal information of nearly 200,000 customers.

What data was compromised in the Pizza Hut data breach?

The compromised data includes customer names, delivery addresses, instructions, email addresses, and contact numbers. However, paycard information and government identification data are not believed to be at risk.

Why should customers be concerned about the hashed passwords in the Pizza Hut data breach?

Experts have highlighted the potential risks associated with the stolen hashed passwords. Although the passwords were encrypted, the hashing algorithm could potentially be deciphered, posing a security risk.

Please note that the FAQs provided on this page are based on the news article published. While we strive to provide accurate and up-to-date information, it is always recommended to consult relevant authorities or professionals before making any decisions or taking action based on the FAQs or the news article.

Share post:

Subscribe

Popular

More like this
Related

MMA Global Leads AI Revolution at Possible Event

Join MMA Global at Possible Event as AI leads the revolution in marketing. Over 300 marketers driving advancements in the industry.

Samsung Surpasses Apple in Global Smartphone Market Share Amid Growing Competition

Samsung overtakes Apple in global smartphone market share amid rising competition, with iPhone sales declining by 10% in Q1 2024.

Meta Unveils AR Glasses with OLED Display & Snapdragon Chip, Set for 2027 Release

Discover what to expect from Meta's upcoming AR Glasses with OLED display & Snapdragon chip, set for a 2027 release. Stay updated on the latest features!

Canada Boosts Arctic Defence Amid Climate Change Threats

Canada ramps up Arctic defense amid climate change threats with new policy, Arctic-compatible vehicles, and potential nuclear submarines.