Token error left Microsoft data exposed

Microsoft has disclosed that an overly permissive shared access signature (SAS) token exposed company data on GitHub from July 2020 until it was fixed this year.

The mistake was discovered by Wiz Research, who explained that the exposure related to a Microsoft GitHub repository used for sharing open source AI code and models for image recognition.

Someone created a URL to give users download access to the models, and that’s where the mistake was made: “It was configured to grant permissions on the entire storage account, exposing additional private data by mistake.”

Wiz said the URL provided access to 38TB of data, including “secrets, private keys, passwords, and over 30,000 Microsoft Teams messages”.

In a blog post, Microsoft emphasised that no customer data was exposed.

“SAS tokens provide a mechanism to restrict access and allow certain clients to connect to specified Azure Storage resources,” Microsoft explained.

“In this case, a researcher at Microsoft inadvertently included this SAS token in a blob store URL while contributing to open-source AI learning models and provided the URL in a public GitHub repository.”

Since it was a configuration error, Microsoft said, no Azure vulnerability was involved.

“Like other secrets, SAS tokens should be created and managed properly. Additionally, we are making ongoing improvements to further harden the SAS token feature and continue to evaluate the service to bolster our secure-by-default posture,” the vendor said.

There was, however, a GitHub scanning issue Microsoft identified during its investigation.

Microsoft expanded GitHub’s secret scanning service to include overly permissive SAS tokens: “This system detected the specific SAS URL identified by Wiz in the ‘robust-models-transfer’ repo, but the finding was incorrectly marked as a false positive”.

That issue has also been addressed, Microsoft said.

Wiz Research reported the issue to Microsoft on July 22, 2023, and Microsoft said it revoked the token and prevented all external access to the storage account on July 23.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts