Microsoft has resolved a security bug that exposed internal company files and credentials to the open Internet.
Security researchers Can Yoleri, Murat Özfidan and Egemen Koçhisarlı with SOCRadar, a cybersecurity company that helps organizations find security weaknesses, discovered an open and public storage server hosted on Microsoft’s Azure cloud service that stored internal information about the machine Microsoft’s Bing search engine.
The Azure storage server hosted code, scripts, and configuration files that contained passwords, keys, and credentials used by Microsoft employees to access other internal databases and systems.
But the storage server itself was not password protected and could be accessed by anyone on the Internet.
Yoleri told TechCrunch that the exposed data could potentially help malicious actors locate or gain access to other places where Microsoft stores its internal files. Identifying these storage locations “could lead to more significant data leaks and potentially compromise the services being used,” Yoleri said.
The researchers notified Microsoft of the security flaw on February 6, and Microsoft secured the leaked files on March 5.
It is not known how long the cloud server was exposed online or if anyone other than SOCRadar discovered the exposed data inside. When reached by email, a Microsoft representative did not comment by the time of publication. Microsoft did not say whether it had reset or changed any of the exposed internal credentials.
This is the latest security gaffe at Microsoft as the company tries to rebuild trust with its customers after a series of cloud security incidents in recent years. In a similar security breach last year, researchers found that Microsoft employees were exposing their own corporate login networks in code published on GitHub.
Microsoft also came under fire last year after the company admitted it didn’t know how China-backed hackers stole an internal email signing key that gave hackers broad access to the Microsoft-hosted inboxes of senior government officials. An independent panel of cyber experts tasked with investigating the email breach wrote in its report, released last week, that the hackers succeeded because of a “cascade of security failures at Microsoft.”
In March, Microsoft said it was still dealing with an ongoing cyberattack that allowed Russian state-backed hackers to steal parts of the company’s source code and internal emails from Microsoft executives.
