Late last month, researchers from cloud security firm Wiz found a new vulnerability that allows Azure users to access cloud databases of other users, breaking the principle of secure multitenancy. They dubbed it ChaosDB.
This month, they found another one. In some respects, it’s not as bad as the ChaosDB vulnerability because it doesn’t break multitenancy. But in other respects, the new vulnerability, OMIGOD, is actually worse.
The ChaosDB vulnerability was a result of a misconfiguration error on the part of Microsoft. When the company fixed it, the vulnerability went away. Customers just needed to reset their security keys. Microsoft patched it quickly, and no exploits have been reported.
It was a serious vulnerability — Wiz researchers were able to get into the databases of Fortune 500 companies — but the impact was limited.
Not so with the newest one, dubbed OMIGOD, which is already being exploited by attackers.