It's not every day you stumble upon a treasure trove of secrets. But
that's precisely what happened when a Microsoft researcher, probably multitasking
between coding and binge-watching cat videos, shared a URL on a public GitHub repository. Little did they know, they
were about to gift the world 38TB of Microsoft's deepest data secrets.
Picture this: June 2023, a Microsoft researcher innocently shares a URL
on a public GitHub repository while contributing to an open-source AI model.
Harmless, right? Wrong. The URL contained a "shared access signature"
(SAS) token, and this wasn't your average token.
28 Years of Access
SAS tokens, designed to restrict access to Azure Storage (part of
Microsoft’s cloud
Cloud
The cloud or cloud computing helps provides data and applications that can be accessed from nearly any location in the world so long as a stable Internet connection exists. Categorized into three cloud services, cloud computing is segmented into Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). In terms of trading, the versatility of the cloud service allows retail traders the ability to test out new trading strategies, backtest pre-existing conc
The cloud or cloud computing helps provides data and applications that can be accessed from nearly any location in the world so long as a stable Internet connection exists. Categorized into three cloud services, cloud computing is segmented into Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). In terms of trading, the versatility of the cloud service allows retail traders the ability to test out new trading strategies, backtest pre-existing conc
Read this Term offering), are like the wild cards in a deck of otherwise
predictable playing cards. They're flexible, and herein lies the rub. Users can
customize access levels, adjust expiry times, and essentially create tokens
that never expire – our star token was valid till 2051, a good 28 years from
now. You can learn all about them here,
courtesy of Microsoft. Perhaps read on first, though.
Now, here's where we go from mild mishap to serious problem. This
particular SAS token, configured with the techy finesse of a bull in a china
shop, granted access across an entire storage account. A storage account that
happened to house 38TB of data, including sensitive employee information,
secret keys, and internal team messages. Oops.
🚨 BREAKING: Wiz Research discovers a massive 38TB data leak by Microsoft AI researchers, including 30,000+ internal Teams messages.
Here's what you need to know 🧵 pic.twitter.com/2V8u9IekGV
— Wiz (@wiz_io) September 18, 2023
Keys to the Kingdom?
Thankfully, it wasn't all doom and gloom. The brilliant minds at Wiz.io, a cloud security firm, discovered the
mishap and joined forces with Microsoft to contain the chaos. In a coordinated vulnerability
disclosure report, they revealed the mishap. The silver lining? No customer
data was exposed, and the incident has given Microsoft a valuable lesson. Now,
releasing the inside story after the problem has been resolved and fixed,
hopefully to never happen again, is common in the world of IT security – The eagle-eyed
among you will have noticed that this occurred in June, but the story’s only
recently been doing the rounds. However, it certainly sounds like Microsoft had
to jump when Wiz.io got on the phone and no doubt there were some hasty
apologies.
Microsoft acknowledged the blunder and promised to enhance its SAS
token feature. They also emphasized the importance of creating and managing
these tokens properly, just like guarding the keys to your kingdom.
The key takeaway from all of this is to not share your data in a public
space. We can’t believe we’ve had to write that, but there you go.
For more news and amusements, be sure to follow Trending.
It's not every day you stumble upon a treasure trove of secrets. But
that's precisely what happened when a Microsoft researcher, probably multitasking
between coding and binge-watching cat videos, shared a URL on a public GitHub repository. Little did they know, they
were about to gift the world 38TB of Microsoft's deepest data secrets.
Picture this: June 2023, a Microsoft researcher innocently shares a URL
on a public GitHub repository while contributing to an open-source AI model.
Harmless, right? Wrong. The URL contained a "shared access signature"
(SAS) token, and this wasn't your average token.
28 Years of Access
SAS tokens, designed to restrict access to Azure Storage (part of
Microsoft’s cloud
Cloud
The cloud or cloud computing helps provides data and applications that can be accessed from nearly any location in the world so long as a stable Internet connection exists. Categorized into three cloud services, cloud computing is segmented into Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). In terms of trading, the versatility of the cloud service allows retail traders the ability to test out new trading strategies, backtest pre-existing conc
The cloud or cloud computing helps provides data and applications that can be accessed from nearly any location in the world so long as a stable Internet connection exists. Categorized into three cloud services, cloud computing is segmented into Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). In terms of trading, the versatility of the cloud service allows retail traders the ability to test out new trading strategies, backtest pre-existing conc
Read this Term offering), are like the wild cards in a deck of otherwise
predictable playing cards. They're flexible, and herein lies the rub. Users can
customize access levels, adjust expiry times, and essentially create tokens
that never expire – our star token was valid till 2051, a good 28 years from
now. You can learn all about them here,
courtesy of Microsoft. Perhaps read on first, though.
Now, here's where we go from mild mishap to serious problem. This
particular SAS token, configured with the techy finesse of a bull in a china
shop, granted access across an entire storage account. A storage account that
happened to house 38TB of data, including sensitive employee information,
secret keys, and internal team messages. Oops.
🚨 BREAKING: Wiz Research discovers a massive 38TB data leak by Microsoft AI researchers, including 30,000+ internal Teams messages.
Here's what you need to know 🧵 pic.twitter.com/2V8u9IekGV
— Wiz (@wiz_io) September 18, 2023
Keys to the Kingdom?
Thankfully, it wasn't all doom and gloom. The brilliant minds at Wiz.io, a cloud security firm, discovered the
mishap and joined forces with Microsoft to contain the chaos. In a coordinated vulnerability
disclosure report, they revealed the mishap. The silver lining? No customer
data was exposed, and the incident has given Microsoft a valuable lesson. Now,
releasing the inside story after the problem has been resolved and fixed,
hopefully to never happen again, is common in the world of IT security – The eagle-eyed
among you will have noticed that this occurred in June, but the story’s only
recently been doing the rounds. However, it certainly sounds like Microsoft had
to jump when Wiz.io got on the phone and no doubt there were some hasty
apologies.
Microsoft acknowledged the blunder and promised to enhance its SAS
token feature. They also emphasized the importance of creating and managing
these tokens properly, just like guarding the keys to your kingdom.
The key takeaway from all of this is to not share your data in a public
space. We can’t believe we’ve had to write that, but there you go.
For more news and amusements, be sure to follow Trending.
