One of Microsoft’s AI teams that uploaded training data on GitHub, in a bid to offer other researchers open-source code and AI models for image recognition inadvertently exposed 38 TB of personal data. Wiz, a cybersecurity firm, discovered a link included in the files that contained backups of Microsoft employees’ computers. (Source).
Microsoft’s AI Data Leak – What was stored in the leaked files?
The leaked backup files contained passwords for Microsoft services and secret keys. Furthermore, it had over 30,000 Internal Teams messages from hundreds of tech giant’s employees.Leaking 38 TB of data is undoubtedly serious, but Microsoft assures there is no cause for concern. The company states that this was the company’s data, and “no customer data was exposed, and none of its services were put at risk”.
How The Incident Happened?
The link for the files was intentionally included, allowing interested researchers to download pretrained AI models. This was not accidental. Microsoft’s researchers have been using an Azure feature called “SAS tokens”. The SAS tokens allow users to create shareable links that give other people access to data in their Azure Storage account. Users can choose what information can be accessed through the SAS links. They can share a single file, a full container or their entire storage. In Microsoft’s case, the researchers shared a link that had access to the full storage account. Anyone with access to the tokens could easily get into the files.
What are SAS Tokens?
Azure SAS tokens are like secure passes for accessing your resources in the Azure cloud. Think of them as temporary keys that grant specific permissions to someone or something (like an application) to interact with your Azure services.
Here’s how they work:
- Resources: In Azure, you have various resources like storage accounts, containers, or files. These are like digital assets you want to protect or share.
- Access Permissions: SAS tokens allow you to define what actions someone can perform on those resources. For example, you can grant read-only access, write access, or both.
- Expiry Date: You can set an expiration date for SAS tokens. Once the token expires, it becomes useless, adding a layer of security and control.
- Scope: SAS tokens can be scoped to specific resources or even specific parts of a resource. You can, for instance, grant access to a particular file in a storage container.
- Security: They provide a secure way to share access without revealing your primary account keys. This is crucial for security since you don’t want to expose your entire Azure resource to others.
Essentially, Azure SAS tokens provide a means to share limited, controlled access to your Azure resources. This without giving away your full access rights. They are incredibly useful for scenarios where you want to grant temporary access to certain parts of your environment. You can keep the rest of your resources safe and secure.
Gizchina News of the week
The Consequence
The cloud security company, then reported the issue to Microsoft, which promptly fixed it. Microsoft explained that it rescans all its public repositories, but its system had marked this particular link as a “false positive”. The company fixed the issue, so the system can now detect SAS tokens that are too permissive than intended in the future. As for the employees, it’s not clear if they will suffer any kind of consequence from Microsoft. However, this certainly could harm Microsoft’s reputation among consumers. Just imagine if the files stored there were even more sensitive, like customers or service-related data? It would be a complete mess.
It’s worth noting that when used correctly, Shared Access Signature (SAS) tokens offer a secure means of granting delegated access to resources within your storage account. (Source).
The SAS Token in Azure Cloud Was One of the Catalysts of Such Incident – Microsoft Recommends Good Practices for Security
Although the SAS token in this story has been fixed, it only highlights the problem involving this kind of security token. Well, improperly configured SAS tokens could potentially lead to data leaks and bigger problems with privacy. Microsoft is aware of this fact and acknowledges that “Users Need to create and handle the SAS tokens appropriately”. The company also provides a list with the best practices when using them. Hopefully, the company’s employees will start to adopt such practices and avoid issues like this one. You can see some of the tips below:
Best Practices for Handling SAS URLs:
- Apply The Principle of Least Privilege: Scope SAS URLs to the smallest set of resources required by clients. Limit permissions to only those needed by the application.
- Use short-live SAS: Always use a near-term expiration time when creating a SAS, and have clients request new SAS URLs when needed. Azure Storage currently recommends 1 hour or less for all SAS URLs.
- Handle SAS Tokens Carefully: SAS URLs grant access to your data, treat them as an application secret.
- Monitor and Audit Your Application: Track requests to your storage account. Enable Azure Monitor and Azure Storage Logs.
Conclusion
This particular history highlights that big data leaks can happen even on large corporations like Microsoft. The fact that employees in these companies are constantly dealing with huge amounts of data highlights the need for extra security measures to avoid issues like this one. Thankfully, the situation here was not alarming as leaking user data. Hopefully, Microsoft will learn with mistakes and avoid incidents like this in the future.
