Comment

Comment on Microsoft AI team accidentally leaks 38TB of private company data

exohuman@programming.dev ⁨9⁩ ⁨months⁩ ago

Wiz says that this occurred as a result of an Azure feature called Shared Access Signature (SAS) tokens, which is “a signed URL that grants access to Azure Storage data.”

The URL gave full access to read and write all data in the Azure Storage. This is so obvious a security hole. This “feature” should never be. If you are going to use signed urls, then implement them so that they expire after 24 hours or something.

source

Sort:hotnew top

DonPiano@lemmy.ca ⁨9⁩ ⁨months⁩ ago

The SAS token could have been set up with limitations to what file or files could be accessed. However, this particular link was configured with full access.

Apparently the AI researchers weren’t trained on how to properly secure SAS tokens, or were just neglegent.

source
- tdawg@lemmy.world ⁨9⁩ ⁨months⁩ ago
  As an API developer it’s appalling to me that someone wouldn’t immediately change this
  
  source