IT House September 18 news, cloud security startup Wiz Research announced today that a data breach was found in Microsoft AI's GitHub repository, all caused by a misconfigured SAS (IT House Note: Shared Access Signature) token.
In terms of details, Microsoft's AI research team released open source training data on GitHub, but accidentally exposed 38TB of other internal data, including disk backups of several Microsoft employees' personal PCs. In this disk backup, secrets, private keys, passwords, and hundreds of Microsoft employees exceeded 30,000 messages Microsoft Teams.
The GitHub repository provides open-source code and AI models for image recognition, and visitors are asked to download models from Azure Storage URLs. However, Wiz discovered that the URL was configured to grant permissions to the entire storage account, incorrectly exposing other private data.
The URL in question has allegedly exposed this data since 2020, and the URL was also incorrectly configured to allow "full control" rather than "read-only" permissions, meaning that anyone who knows where to look could delete, replace, and inject malicious content into it.
Wiz said it had reported the issue to Microsoft on June 22, and two days later, on June 24, Microsoft announced the withdrawal of the SAS token. Microsoft said it completed its investigation into potential organizational impact on August 16.
The specific timeline of the entire event is as follows:
- July 20, 2020 - SAS tokens are first submitted to GitHub; The expiration date is set for October 5, 2021
- October 6, 2021 - SAS token expiration date updated to October 6, 2051
- June 22, 2023 - Wiz Research identified an issue and reported it to Microsoft
- June 24, 2023 - Microsoft announces the expiration of SAS tokens
- July 7, 2023 - SAS token replaced on GitHub
- August 16, 2023 - Microsoft completes an internal investigation into potential impact
- September 18, 2023 - Wiz Research publicly disclosed the matter
reference