Microsoft’s AI research team inadvertently exposed approximately 38 terabytes of private data on GitHub while sharing open-source training data. The exposed data included sensitive information such as secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages. This exposure occurred due to a misconfiguration in the use of Azure’s Shared Access Signature (SAS) tokens, which were meant to share files but inadvertently granted access to the entire storage account.
Key points regarding the incident and Microsoft’s response:
- Cause of Exposure: Researchers used Azure’s SAS tokens but configured them incorrectly. Instead of limiting access to specific files, the link provided access to the entire storage account, including the private data.
- Full Control Permissions: The misconfigured SAS token also allowed for “full control” permissions, which meant that an attacker could not only view the files but also delete and overwrite them.
- Response by Microsoft: The security company Wiz, which discovered the exposure, reported its findings to Microsoft on June 22. Microsoft promptly revoked the SAS token on June 24.
- No Customer Data at Risk: Microsoft’s investigation concluded that no customer data or other Microsoft services were at risk due to this issue. Customers were assured that no additional action was required for their security.
- Explanation from Microsoft: Microsoft attributed the problem to a Microsoft researcher who accidentally included the SAS token in a public GitHub repository while contributing to open-source AI learning models. The issue was not related to any security vulnerability within Azure Storage or the SAS token feature.
- Preventive Measures: Microsoft emphasized the importance of creating and handling SAS tokens correctly, following best practices. They also mentioned their active efforts to improve detection and scanning tools to identify cases of over-provisioned SAS URLs and enhance their secure-by-default approach.
In summary, the exposure of private data was an unintended consequence of a misconfigured SAS token, but Microsoft took swift action to address the issue and confirmed that customer data and services remained secure. They are also working on further improvements to prevent such incidents in the future.
