Microsoft has been its own worst enemy this week as the tech giant suffered two unrelated incidents where masses of internal documents, trade secrets, and backups of employee computers were released on the internet.
On Tuesday, researchers at security company Wiz went public about a 38TB trove of data that Microsoft’s AI team had accidentally leaked through a GitHub repository.
The leak came from a misconfigured Azure storage container that was just meant to share open-source AI models, except the Microsoft team had given it permissions for the whole storage account.
“Our scan shows that this account contained 38TB of additional data — including Microsoft employees’ personal computer backups,” Wiz said.
“The backups contained sensitive personal data, including passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees.”
It was the way the AI researchers shared their models to the public by using an Azure Shared Access Signature (SAS) token that caused the exposure.
Because SAS tokens are flexible enough to allow full write permissions, and are created client-side so admins don’t know they exist, a simple misconfiguration can lead to an absurd amount of sensitive information finding its way onto the web.
Even worse, Wiz said, the full storage control combined with the original model data’s file format meant the file could potentially have been modified to allow arbitrary code execution.
“Meaning,” according to Wiz, “An attacker could have injected malicious code into all the AI models in this storage account, and every user who trusts Microsoft’s GitHub repository would’ve been infected by it.”
Microsoft-owned GitHub has expanded its secret scanning service – which checks open-source code for exposed credentials – to detect “any SAS token that may have overly-permissive expirations or privileges” following the incident, according to a blog post.
Wiz’s investigations into cloud configurations previously let it change Bing search results.
Unredacted Xbox secrets go online
As if that wasn’t bad enough, Microsoft was soon scrambling to deal with another case of publicly exposed sensitive data, only this time it was a lot less esoteric than misconfigured cloud access tokens.
Microsoft is currently engaged in a lawsuit brought against it by the US Federal Trade Commission over the company’s $95 billion acquisition of Activision Blizzard.
The FTC, and other regulators, has made the case that Microsoft’s purchase of a large rival game publisher is anti-competitive and will condense the market.
Already the trial has brought out internal documents, like a presentation that speaks of Microsoft’s desire to get everyone running Windows from the cloud, but they had thus far been redacted to exclude particularly sensitive corporate information.
At least, that was until this week when Microsoft uploaded a tranche of completely unredacted documents to a US District Court as part of the trial.
The documents – which were removed but not before they had been downloaded, shared, and reported on – contain all manner of corporate secrets from a refresh of its Xbox Series X due next year, to launch windows of unannounced video games, and even an email in which Microsoft Gaming CEO Phil Spencer says the company should buy Nintendo.
Spencer told staff in a memo – which was itself leaked to the Verge – that the unintentional disclosure was “disappointing” and that the company “take[s] the confidentiality of our plans and our partners’ information very seriously”.
“This leak obviously is not us living up to that expectation,” Spencer said.
“We will learn from what happened and be better going forward. We all put incredible amounts of passion and energy into our work, and this is never how we want that hard work to be shared with the community.”