Featured in this episode of Tech News of the Week
Researchers at Wiz found 38TB of data exposed on a Microsoft AI GitHub repo linked to an Azure Storage account. The AI team at Microsoft had intended to share a subset of open-source training data housed in the storage account, but they accidentally set the wrong scope for the SAS tokens granting access, and instead of just the subset, the token gave full-access to the entirety of the storage account.
Included in the storage account were internal Team messages, secrets, private keys, passwords, and disk backups of two employees’ workstations. Compounding the issue is the fact that SAS tokens are not easily revoked, as they are signed by the storage account key and require a rotation of the keys to invalidate, which will impact all tokens.
There are several other ways to share information with external parties that don’t involve using Account-level SAS tokens, and you would think, maybe someone working at Microsoft would know this. What’s the over under that they had an AI set all this up and thought, “Well it looks good enough.”
This is another in a series of embarrassing security incidents at Microsoft, that are starting to make me wonder how seriously they are taking security these days versus pouring money into the AI apocalypse.