Last week, researchers from cloud security firm Wiz reported a new vulnerability in Microsoft Azure’s managed database service, Cosmos DB, that they called the worst they’ve ever seen.
According to the researchers, the Azure vulnerability, which they dubbed ChaosDB, gave them “complete, unrestricted access to the accounts and databases of several thousand Microsoft Azure companies, including many Fortune 500 companies.”
How did this happen?
In 2019, Microsoft added a feature called Jupyter Notebook to Cosmos DB. It lets companies visualize their data.
“For this feature to work, the notebook needs access to the database,” said Avi Nutkis, security engineer at Oak9.