On June 24, 2023, Microsoft mitigated the exposure of internal information in a storage account due to an overly permissive Shared Access Signature (SAS) token. The incident was discovered by security researchers at Wiz Research, who reported it to Microsoft’s Security Response Center (MSRC) on June 22.
The SAS token is a security feature that allows users to grant limited access to resources in Azure Storage without having to share their account keys. However, if an SAS token is configured with overly-permissive permissions, it can allow unauthorized users to access sensitive data.
In this case, a Microsoft employee accidentally shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL included an overly-permissive SAS token for an internal storage account. This allowed Wiz researchers to access and download 38TB of internal data, including backups of personal information belonging to Microsoft employees, such as passwords for Microsoft services, secret keys, and an archive of over 30,000 internal Microsoft Teams messages.
Microsoft has stated that no customer data was exposed in this incident, and that no other internal services were affected. The company has also taken steps to mitigate the risk of future incidents, such as by implementing stricter controls on the use of SAS tokens and by educating employees about the importance of security best practices.
This incident is a reminder of the importance of configuring SAS tokens with the appropriate permissions. It is also a reminder of the importance of educating employees about security best practices, such as the importance of not sharing sensitive information in public repositories.
Here are some tips for configuring SAS tokens securely:
- Grant only the permissions that are necessary for the intended use case.
- Set a short expiration time for the SAS token.
- Use IP address restrictions to limit access to the SAS token to specific users or IP addresses.
- Consider using Azure Active Directory (AAD) to authenticate users to SAS tokens.