Azure Cosmos DB breach: What happened with ChaosDB?

In this post, we take look at what happened with the ChaosDB Azure Cosmos DB breach, what you need to know now, and what it means for cloud computing in general.

There were a lot of red faces in the Cosmos DB department of Microsoft Azure this week. The research company Wiz announced they had been able to access any Cosmos DB account on Azure in what they called ChaosDB.

While the details on how the exploit works haven't been revealed, we do know this much: Wiz gained access to all customers' Cosmos DB primary keys. All.

These are the manna to cyber attackers as primary keys are hardly ever changed, and they give access to read, write and delete operations. Yeah.

This was done through a feature called Jupyter Notebook, which is a user-friendly way to visualize large amounts of data, among other things. It's great for customers that want to have a visual idea of what the data

contains, how it's structured, and so on.

Wiz found a way to elevate their privileges in their own Jupyter Notebook instance which, in turn, let them access any other Cosmos DB customer's Notebook.

Having this access, it was then simple to harvest all the primary keys, and then use those to log into any Cosmos DB account.

Every single Cosmos DB customer on Azure is affected by this breach. This includes many Fortune 500 companies.

The Jupyter Notebook was first introduced in 2019, but, from February 2021, it was enabled automatically for all accounts.

While the feature for new accounts would be disabled after three days, this has still left a very large number of accounts with possible exposure.

And it could be considered that even three days of enabling Jupyter Notebook would be enough to allow someone to get hold of the primary key.

Microsoft says they emailed 30% of their Cosmos DB customers directly, which were the ones that had Jupyter Notebooks enabled at the time Wiz found the exploit.

I'd still recommend — and so does Wiz — that you rotate your primary keys for all your Cosmos DB instances,

regardless of whether you've been emailed or not.

This incident is certainly among the much more serious and critical I have come across in my time living in the cloud.

Microsoft did a fantastic job of removing the vulnerability within 48 hours of being notified. They told customers quickly, and they even paid Wiz $40,000 for finding the bug.

However, the question I'm interested in answering is what does this mean for cloud computing?

Get the Cloud Dictionary of Pain
Speaking cloud doesn’t have to be hard. We analyzed millions of responses to ID the top concepts that trip people up. Grab this cloud guide for succinct definitions of some of the most painful cloud terms.

While the breach is serious, it really is, I'm kind of glad it happened in the cloud. Yep.

The impact is great initially, because many more customers are on the same platform, but there are so many more eyes on it as well.

Wiz found the vulnerability because it is in the cloud.

It got plugged super-fast because it's in the cloud.

And all customers know about it because well, it's in the cloud.

In cases like this, responsible disclosure is key to allow users and customers to fix the issue as fast as humanly possible. Being in the cloud-enabled that.

If this vulnerability had been part of an on-premises setup, not only would it have been unlikely to be discovered in any meaningful way, but if it had, then the fix would have been for only one customer or installation.

In addition, you have all the engineers of Azure looking out for you, rather than just a single IT department in your company.

Part of me doesn’t ever want to see these kinds of breaches, of course, but I'm not that naive to think they'll never happen. And when they do, I'd much rather have them happen on a cloud computing platform where vast

amounts of expertise and resources can pounce on them immediately.

Were you impacted by the ChaosDB vulnerability? What's your opinion on it? Let us know me know via Twitter (I'm @LarsKlint or you can find ACG here) or in the comments on the accompanying video on YouTube. (I'd love to get more insight into how these events affect the actual companies using the services.)

Also, stay tuned every week to Azure This Week for more critical updates and insights.

As we say on the A Could Guru team when there is panic in the office about vulnerabilities . . . but then you realize there isn't even an office, "Seek and you shall cloud." See you next time, and keep being calm, cloud gurus.

Level up your career. Learn more about the most in-demand tech skills with A Cloud Guru. Check out this month’s free courses or get a free 7-day trial.