Microsoft has fixed a security flaw that left internal business files and login information vulnerable to public access.A storage server hosted on Microsoft’s Azure cloud service was found to be open and public by security researchers Can Yoleri, Murat Özfidan, and Egemen Koçhisarlı of SOCRadar, a cybersecurity firm that assists organizations in identifying security flaws. The server contained internal Microsoft Bing search engine data.Code, scripts, and configuration files with passwords, keys, and other credentials that Microsoft workers used to access other corporate databases and systems were stored on the Azure storage server.
However, the storage server itself had no password protection, making it accessible to everyone with an internet connection.
According to Yoleri, TechCrunch, the data that was made public may aid malevolent actors in locating or breaking into more locations where Microsoft keeps its internal information. Finding those storage sites “may lead to more substantial data breaches and potentially jeopardize the functioning of the services,” according to Yoleri.On February 6, the researchers alerted Microsoft to the security breach, and on March 5, Microsoft took steps to safeguard the compromised files.
The duration of the cloud server’s internet exposure is unknown, as is the possibility that anybody other than SOCRadar found the exposed data within. Microsoft did not respond to an email requesting comment at the time of publication. Microsoft did not specify whether any of the publicly available internal credentials had been reset or altered.
This is Microsoft’s most recent security blunder as it works to win back consumer trust following a string of cloud security mishaps in recent years. Researchers discovered that Microsoft employees were disclosing their personal business network logins in code uploaded to GitHub in a similar security breach that occurred the previous year.
Microsoft faced criticism last year as well after acknowledging that it had no idea how hackers with Chinese support had obtained an internal email signature key, which gave the hackers complete access to senior American government officials’ Microsoft-hosted inboxes. The email leak was the result of a “cascade of security failures at Microsoft,” according to a study released last week by an independent board of cyber specialists tasked with examining it.
Microsoft announced in March that it was still battling an ongoing cyberattack that gave hackers with Russian state support access to parts of the company’s source code and private emails sent by Microsoft corporate officials.
