Microsoft AI researchers accidentally exposed terabytes of internal sensitive data


Share post:

Microsoft AI researchers accidentally exposed tens of terabytes of sensitive data, including private keys and passwords, while publishing a storage bucket of open-source training data on GitHub.

In research shared with TechCrunch, cloud security startup Wiz said it discovered a GitHub repository belonging to Microsoft’s AI research division as part of its ongoing work into the accidental exposure of cloud-hosted data.

Readers of the GitHub repository, which provided open source code and AI models for image recognition, were instructed to download the models from an Azure Storage URL. However, Wiz found that this URL was configured to grant permissions on the entire storage account, exposing additional private data by mistake.

This data included 38 terabytes of sensitive information, including the personal backups of two Microsoft employees’ personal computers. The data also contained other sensitive personal data, including passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from hundreds of Microsoft employees.

The URL, which had exposed this data since 2020, was also misconfigured to allow “full control” rather than “read-only” permissions, according to Wiz, which meant anyone who knew where to look could potentially delete, replace, and inject malicious content into them.

Wiz notes that the storage account wasn’t directly exposed. Rather, the Microsoft AI developers included an overly permissive shared access signature (SAS) token in the URL. SAS tokens are a mechanism used by Azure that allows users to create shareable links granting access to an Azure Storage account’s data.

“AI unlocks huge potential for tech companies,” Wiz co-founder and CTO Ami Luttwak told TechCrunch. “However, as data scientists and engineers race to bring new AI solutions to production, the massive amounts of data they handle require additional security checks and safeguards. With many development teams needing to manipulate massive amounts of data, share it with their peers or collaborate on public open-source projects, cases like Microsoft’s are increasingly hard to monitor and avoid.”

Wiz said it shared its findings with Microsoft on June 22, and Microsoft revoked the SAS token two days later on June 24. Microsoft said it completed its investigation on potential organizational impact on August 16.

In a blog post shared with TechCrunch before publication, Microsoft’s Security Response Center said that “no customer data was exposed, and no other internal services were put at risk because of this issue.”

Microsoft said that as a result of Wiz’s research, it has expanded GitHub’s secret spanning service, which monitors all public open-source code changes for plaintext exposure of credentials and other secrets to include any SAS token that may have overly permissive expirations or privileges.

Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Ask Sophie: How would a government shutdown affect the H-1B visa process?

Sophie Alcorn Contributor Sophie Alcorn is the founder of Alcorn Immigration Law in Silicon Valley and 2019 Global Law...

Sam Altman backs Slope’s $30M round to digitize, scale B2B payments

Slope, a business-to-business payments platform for enterprise companies, closed on a venture round of $30 million to...

Mythos Ventures grabs $14M for inaugural fund to invest in AI

Mythos Ventures, an early-stage venture capital firm started by Vishal Maini, closed $14 million in capital commitments...

Gem Security raises $23M for its cloud security platform

Cloud detection and response company Gem Security today announced that it has raised a $23 million Series...

Fintech actually has a value system: Here’s how we can reclaim it

Yuval Brisker Contributor Yuval Brisker is CEO and co-founder of Alviere, an embedded finance company. He previously co-founded TOA...

Gringo’s super app for Brazilian drivers adds insurance, financing with $30M Series C

Brazil has over 75 million drivers, and Gringo wants to be the super app support for all...

Akamai launches new cloud computing regions in Asia, Europe and the Americas

Akamai today announced a major expansion of its cloud computing presence around the world. While you might still...

QED and Partech back South African payment orchestration platform Revio in $5.2M seed

The payment landscape in Africa is still fragmented, with several payment operators providing different payment options to...