A data exposure incident found on Microsoft’s AI GitHub repository, including more than 30,000 internal Microsoft Teams messages — was caused by one misconfigured shared access signature (SAS) token.
In a blog post Sept. 18, Wiz researchers said they discovered that while publishing a bucket of open source training data on GitHub, Microsoft’s AI research team accidentally exposed 38 terabytes of additional private data, including a disk backup of the workstations of two employees.
The researchers explained that a SAS token is a signed URL that grants access to Azure storage data. Users can customize this access level with the permissions ranging between read-only and full control, while the scope can be either a single file, a container, or an entire storage account.
The Wiz researchers further explained that the expiration time is also customizable, which lets the user create never-expiring access tokens. While this granularity offers great agility for users, it also creates the risk of granting too much access — as was the case with the misconfigured SAS token reported by Wiz.
“Due to a lack of monitoring and governance, SAS tokens pose a security risk and their usage should be as limited as possible,” wrote the Wiz researchers. “These tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal. In addition these SAS tokens can be configured to last forever, with no upper limit on their expiry time. Therefore, using Account SAS tokens for external sharing is unsafe and should be avoided.”
SAS tokens are a significant cybersecurity risk if not managed with the utmost care, said Andrew Whaley, senior technical director at Promon. Whaley said although they're a valuable tool for collaboration and sharing data, they can also become a double-edged sword when misconfigured or mishandled.
“When overly permissive SAS tokens are issued or when they are exposed unintentionally, it's like willingly handing over the keys to your front door to a burglar,” said Whaley. “Microsoft may well have been able to prevent this breach if they implemented stricter access controls, regularly audited and revoked unused tokens, and thoroughly educated their employees on the importance of safeguarding these credentials. Additionally, continuous monitoring and automated tools to detect overly permissive SAS tokens could have also averted this blunder.”
SAS tokens are risky because they are similar to shared links to folders that administrators hand out, but have no good way to keep track of, explained Mohit Tiwari, co-founder and CEO at Symmetry Systems. Tiwari said the key takeaway is that organizations must understand what data they have, who can access it, and how it’s being accessed.
“What Wiz has identified is not a cloud posture problem,” said Tiwari. “This is a data inventory and access problem.”