- Disable User
- Posts
- 🤭 Microsoft's "Oops" Moment: 38 Terabytes of Data Exposed
🤭 Microsoft's "Oops" Moment: 38 Terabytes of Data Exposed
what can we learn from Microsoft's next blunder?
Disable User
September 25, 2023
Hi and welcome to another Security weekly. Where we laugh, we cry and share the latest and greatest in security and tech news.
In this week's edition:
🤭 Microsoft's "Oops" Moment: 38 Terabytes of Data Exposed
📰 Bits & Bytes
❓ Disable User explains: Token Misconfiguration
🔥 meme of the week
Reading time: 02:23
🤭 Microsoft's "Oops" Moment: 38 Terabytes of Data Exposed
Microsoft, the gift that keeps on giving.
This week, the tech giant admitted to a security blunder that exposed a whopping 38 terabytes of internal data.
The data included training data, but also harddisk copies of former MS employees containing secrets, passwords and other sensitive stuff.
For anyone wondering how much data 38 Terrabytes really is, I made a stunning graphical representation on LinkedIn.
The leak was traced back to Microsoft's AI GitHub repository, ironically named "robust-models-transfer". You have to admit, Microsoft is never shy for a joke or two.
The researchers wanted to share certain data on the repository, but accidentally shared the entire account.
The repository was a playground for anyone who stumbled upon it, thanks to an overly permissive SAS token.
What's a SAS token, anyway?
Glad you asked.
SAS tokens, or Shared Access Signatures, are like VIP passes to Azure's storage club.
They have specific permissions - SAS tokens grant specific types of access to particular Azure resources: read, write, or delete. If you’re on the list, you can only do what the bouncer tells you to.
They’re time-bound - These tokens have an expiration date that matches it’s usecase. Or, at least if configured properly. If you arrive too late, you’re not getting in.
But, once they’re configured and handed out, they’re hard to keep track.
Luckily Microsoft set a perfect example.
Microsoft's SAS token was set to "full control," essentially turning the VIP pass into an all-access backstage pass. You could not only mingle with the band but also trash the dressing room.
Dang, wish I could use that facepalm GIF again..
..then again, who’s stopping me?
The aftermath
Microsoft of course went into damage control, assuring everyone that no customer data was compromised.
They've since revoked the SAS token and are scanning for any other "overly permissive" tokens.
The lesson here is clear: SAS tokens are as sensitive as your grandma's porcelain collection: don’t touch them unless you have to.
The blunders keep piling up
This isn't Microsoft's first rodeo with security blunders.
Just two weeks ago, they admitted to another breach, this time at the hands of Chinese hackers.
It's like a never-ending episode of America's Most Wanted: Cyber Edition.
Bits & Bytes
T-Mobile app glitch let users see other people's account info - Imagine being one of T-Mobile’s Privacy Officers and hearing about this. Actually, I don’t think they have any.
China Accuses U.S. of Decade-Long Cyber Espionage Campaign Against Huawei Servers - Uno reverso
3 iOS 0-days, a cellular network compromise, and HTTP used to infect an iPhone - Click that “Install Now” button, I know you want to.
Compromised Free Download Manager website was delivering malware for years - This line had me in tears: “Free Download Manager is—unsurprisingly—a download manager”
LastPass: ‘Horse Gone Barn Bolted’ is Strong Password - not saying you deserve this if you’re still using LastPass, but you kinda do.
Token Misconfiguration
When security tokens are set up incorrectly, leading to unauthorized access.
It's like leaving your house keys under the doormat and then posting a sign that says, "The keys are under the mat!"
Meme of the week
