The security provider Wiz found 38 TB of data including 30.000 internal Teams messages while browsing Microsoft's AI GitHub repository. According to Wiz, a SAS token misconfigured by the AI research team triggered the issue.
According to the Wiz Research Team, Microsoft's AI research team made a few glaring mistakes when publishing open source training data on GitHub. Apparently, when publishing data, a total of 38 terabytes of data was accidentally marked for publication and then published. Among them: private data, a hard drive backup of two employees' workstations.
38 TBytes of data including tokens, passwords and keys
The team accidentally published a backup containing sensitive data, private keys, passwords and over 30.000 internal Microsoft Teams messages. The researchers shared their files using an Azure feature called SAS tokens, which allows you to share data from Azure storage accounts. The access level can only be limited to certain files; However, in this case, the link was configured to share the entire storage account - including an additional 38TB of private files.
This is how the data was discovered
As part of the Wiz research team's ongoing work, the team is studying data hosted in the cloud. Incorrectly configured storage containers can often be found. In this case, the team found a GitHub repository under the Microsoft organization called robust-models-transfer. The repository is part of Microsoft's AI research division and is used to provide open source code and AI models for image recognition.
Readers of the repository were instructed to download the models from an Azure Storage URL. The Wiz team simply called up this URL once. However, this URL allowed access to more than just open source models. A misconfiguration allowed access not only to the open source models, but to the entire storage account. The private data was then accidentally disclosed. A subsequent scan showed that this account contained 38 TB of additional data - including Microsoft employees' PC backups. The backups contained sensitive personal data, including passwords to Microsoft services, secret keys and over 30.000 internal Microsoft Teams messages from 359 Microsoft employees.
The Wiz team describes a further detailed description of the misconfiguration and its consequences in its detailed blog post.
More at WIZ.io
About Wiz
We're reinventing cloud security from the inside out. Led by an experienced and visionary team, our mission is to help companies create secure cloud environments that accelerate their business. By creating a normalizing layer between cloud environments, our platform enables organizations to quickly identify and remediate critical risks.