Zack Whittaker and Carly Page report via TechCrunch: Microsoft has resolved a security flaw that exposed internal files and credentials to the open Internet. Security researchers Can Yoleri, Murat Ozfidan, and Egemen Kokuchisarli worked with SOCRadar, a cybersecurity company that helps organizations find security weaknesses, to store internal information related to Microsoft's Bing search engine. We discovered an open public storage server hosted on Microsoft's Azure cloud service. Azure storage servers stored code, scripts, and configuration files containing passwords, keys, and credentials used by Microsoft employees to access other internal databases and systems. However, the storage server itself was not password protected and could be accessed by anyone on the Internet.
Yoleri told TechCrunch that the leaked data could help malicious actors identify or access other locations where Microsoft stores internal files. . Identifying these storage locations “could result in a more significant data breach and compromise the services you use,” Yorelli said. The researchers notified Microsoft of the security lapse on February 6th, and Microsoft secured the leaked files on March 5th. It's unclear how long the cloud servers were exposed to the internet or whether anyone other than SOCRadar discovered the exposed data inside.
