This post was originally published on IT Pro Today
This article originally appeared on Dark Reading.
An overly permissive file-sharing link allowed public access to a massive 38TB storage bucket containing private Microsoft data, leaving a variety of development secrets — including passwords, Teams messages, and files from two employees’ workstations — accessible to attackers.
Cloud data-security firm Wiz issued an advisory on the incident, which it said originated in the use of a Microsoft Azure feature known as a Shared Access Signature (SAS) token, which allows users with a link to access an otherwise private data repository. The specific at-risk repository belonged to Microsoft’s AI research division, which — in its public GitHub repository — directed users to download open source images and code from the Azure Storage bucket via the SAS link.
However, the link was misconfigured and allowed access to the entire private storage instance, making the sensitive files and data public.
The incident underscores the potential for security missteps when using SAS links, says Ami Luttwak, chief technology officer and co-founder of cloud data-security firm Wiz.
“The AI researcher just wanted to share a database, which is fine,
— Read the rest of this post, which was originally published on IT Pro Today.
