ChaosDB: How We Hacked Databases of Thousands of Azure Customers

Summary of a conference presentation on a vulnerability found in the Cosmos DB service

• The vulnerability allowed access to multiple kinds of authentication tokens that could be used to access and manipulate customer data in multiple access vectors
• Microsoft quickly patched the vulnerability by removing the Jupyter Notebook feature altogether
• Microsoft awarded the researchers with the maximum bounty available for Azure
• Microsoft only emailed undeniably affected customers, but should have emailed all potentially impacted customers

The researchers were able to authenticate to a public IP address from their office over the internet and view the underlying Service Fabric management panel, which is some internal Azure infrastructure that should not be accessible from the internet

In August 2021, the Wiz Research Team uncovered ChaosDB - a critical cross-tenant vulnerability in Azure Cosmos DB, Azure's flagship managed database solution which is used by countless organizations. This vulnerability is every company’s worst nightmare: even a flawless environment is affected. Easily exploitable, this bug allowed any Azure user to have full admin access to thousands of customers' databases, including Fortune 500 companies, without any procedural authorization.This is an unprecedented cloud vulnerability, considered to be one of the most severe issues ever disclosed in any major cloud platform. This vulnerability triggered many questions regarding the security of managed cloud services. Since this vulnerability allowed stealing long-lasting secrets of the target database, attackers may use these secrets at their convenience, and the only solution is to rotate their secrets and hope they have not been used before.In this talk, we will take the attacker's point of view and discuss how we exploited a chain of misconfigurations and vulnerabilities in Azure Cosmos DB. From identifying the attack surface through leveraging a complex chain of vulnerabilities that enabled this exploitation, we will uncover obscure mechanisms in Azure's internal infrastructure that we managed to leverage to gain the ability to arbitrarily query data from customers' Cosmos DB instances.Finally, we will dive deep into the vulnerability's root cause and describe the potential attack vectors and the best practices learned for building more secure cloud services.