After identifying the exposure, Wiz reported the issue to the Microsoft Security Response Center (MSRC).
San Francisco: Microsoft on Monday admitted that backups of two former employees’ workstation profiles and internal Microsoft Teams messages of these two employees with their colleagues were exposed accidentally, adding that no customer data was exposed.
The admission came as cloud security startup Wiz discovered a GitHub repository belonging to Microsoft’s AI research division as part of its work into the accidental exposure of cloud-hosted data.
After identifying the exposure, Wiz reported the issue to the Microsoft Security Response Center (MSRC).
The tech giant investigated and remediated the incident involving a Microsoft employee who shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models.
“This URL included an overly-permissive Shared Access Signature (SAS) token for an internal storage account. Security researchers at Wiz were then able to use this token to access information in the storage account,” said Microsoft.
“No customer data was exposed, and no other internal services were put at risk because of this issue,” the tech giant said in a blog post.
SAS tokens provide a mechanism to restrict access and allow certain clients to connect to specified Azure Storage resources.
In this case, a researcher at Microsoft inadvertently included this SAS token in a blob store URL while contributing to open-source AI learning models and provided the URL in a public GitHub repository.
“There was no security issue or vulnerability within Azure Storage or the SAS token feature. Like other secrets, SAS tokens should be created and managed properly. Additionally, we are making ongoing improvements to further harden the SAS token feature and continue to evaluate the service to bolster our secure-by-default posture,” Microsoft noted.
The information that was exposed consisted of information unique to two former Microsoft employees and these former employees’ workstations. “Customers do not need to take any additional action to remain secure,” said the company.