In 2021, a security company found it could access all the data held by other companies that used the Microsoft Cosmos DB service. This cross-tenant hack enables one tenant on the shared Azure service to access resources used by other tenants, sort of like drilling a hole in your wall to spy on your neighbors. But once discovered, it got worse:
“But the stunning finding made researchers at Wiz and several other vendors curious to find out how prevalent this new class of cross-tenant vulnerability actually is. That led to the discovery of another scary bug in an Azure service a month later. Then another. Then three more — for a total of six critical Azure vulnerabilities in as many months.
Including ChaosDB, five of the critical vulnerabilities demonstrated the possibility of breaching large numbers of different cloud environments, or tenants, in one fell swoop. A cross-tenant flaw like ChaosDB is “the most severe vulnerability that could be found in a cloud service provider,” said Shir Tamari, head of Research at Wiz.
The Wiz research team was not out looking for this type of vulnerability, and only found ChaosDB by accident, Tamari said. The finding was a revelation to researchers that this type of issue is even possible in the public cloud, he said.
Security researchers would go on to discover a pair of critical vulnerabilities in AWS too. But the lion’s share of the most severe vulnerabilities over the past year have been found in Azure, researchers say. To some security researchers and industry analysts, this series of issues raises questions about Microsoft’s approach to securing its Azure services.”
Perhaps building a cloud service platform out of servers designed for single companies made the security issues harder for Microsoft to wrangle versus the multiple server structure preferred by AWS?
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group