HomeTechnologyMicrosoft AI Researchers Accidentally...

Microsoft AI Researchers Accidentally Expose 38 Terabytes of Confidential Data


Sep 19, 2023THNData Safety / Cybersecurity

Microsoft on Monday said it took steps to correct a glaring security gaffe that led to the exposure of 38 terabytes of private data.

The leak was discovered on the company’s AI GitHub repository and is said to have been inadvertently made public when publishing a bucket of open-source training data, Wiz said. It also included a disk backup of two former employees’ workstations containing secrets, keys, passwords, and over 30,000 internal Teams messages.

The repository, named “robust-models-transfer,” is no longer accessible. Prior to its takedown, it featured source code and machine learning models pertaining to a 2020 research paper titled “Do Adversarially Robust ImageNet Models Transfer Better?”

“The exposure came as the result of an overly permissive SAS token – an Azure feature that allows users to share data in a manner that is both hard to track and hard to revoke,” Wiz said in a report. The issue was reported to Microsoft on June 22, 2023.

Cybersecurity

Specifically, the repository’s README.md file instructed developers to download the models from an Azure Storage URL that accidentally also granted access to the entire storage account, thereby exposing additional private data.

“In addition to the overly permissive access scope, the token was also misconfigured to allow “full control” permissions instead of read-only,” Wiz researchers Hillai Ben-Sasson and Ronny Greenberg said. “Meaning, not only could an attacker view all the files in the storage account, but they could delete and overwrite existing files as well.”

Microsoft AI

In response to the findings, Microsoft said its investigation found no evidence of unauthorized exposure of customer data and that “no other internal services were put at risk because of this issue.” It also emphasized that customers need not take any action on their part.

The Windows makers further noted that it revoked the SAS token and blocked all external access to the storage account. The problem was resolved two after responsible disclosure.

Microsoft AI

To mitigate such risks going forward, the company has expanded its secret scanning service to include any SAS token that may have overly permissive expirations or privileges. It said it also identified a bug in its scanning system that flagged the specific SAS URL in the repository as a false positive.

“Due to the lack of security and governance over Account SAS tokens, they should be considered as sensitive as the account key itself,” the researchers said. “Therefore, it is highly recommended to avoid using Account SAS for external sharing. Token creation mistakes can easily go unnoticed and expose sensitive data.”

UPCOMING WEBINAR

Identity is the New Endpoint: Mastering SaaS Security in the Modern Age

Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.

Supercharge Your Skills

This is not the first time misconfigured Azure storage accounts have come to light. In July 2022, JUMPSEC Labs highlighted a scenario in which a threat actor could take advantage of such accounts to gain access to an enterprise on-premise environment.

The development is the latest security blunder at Microsoft and comes nearly two weeks after the company revealed that hackers based in China were able to infiltrate the company’s systems and steal a highly sensitive signing key by compromising an engineer’s corporate account and likely accessing an crash dump of the consumer signing system.

“AI unlocks huge potential for tech companies. However, as data scientists and engineers race to bring new AI solutions to production, the massive amounts of data they handle require additional security checks and safeguards,” Wiz CTO and co-founder Ami Luttwak said in a statement.

“This emerging technology requires large sets of data to train on. With many development teams needing to manipulate massive amounts of data, share it with their peers or collaborate on public open-source projects, cases like Microsoft’s are increasingly hard to monitor and avoid.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Most Popular

LEAVE A REPLY

Please enter your comment!
Please enter your name here

More from Author

Read Now

Team India Squad for T20 World Cup 2024 Announced: Here’s India’s official team for T20 WC – Republic World

India T20 World Cup squad announcement | Image:APTeam India's squad for the upcoming ICC T20 World Cup 2024 has been announced. On Tuesday, the selection committee led by chief selector Ajit Agarkar convened in Ahmedabad and zeroed in on a 15-member unit, which they deem is the...

Justice Minallah says state has to protect judges, independence of judiciary

Justice Athar Minallah on Tuesday said the state had to protect the judges and the judiciary’s independence as the Supreme Court took up a suo motu case pertaining to allegations of interference in judicial affairs.A six-member bench resumed...

Stock futures slip slightly as investors look ahead to Fed decision, megacap earnings: Live updates

Traders work on the floor of the New York Stock Exchange during morning trading on February 29, 2024 in New York City. Michael M. Santiago | Getty ImagesU.S. stock futures fell slightly Tuesday morning after a positive start to the week, as investors brace for megacap earnings,...

Europe’s Economic Laggards Have Become Its Leaders

Something extraordinary is happening to the European economy: Southern nations that nearly broke up the euro currency bloc during the financial crisis in 2012 are growing faster than Germany and other big countries that have long served as the region’s growth engines.The dynamic is bolstering the...

Trump’s Plans for the Fed Make No Sense, Even for Him

A second Trump administration might be very different from the first, and that includes how the president treats the Fed. Donald Trump complained a lot about the US Federal Reserve when he was president, jawboning for lower interest rates and questioning its competence. Yet at the...

Police to launch raids to find migrants to deport to Rwanda, Cabinet Minister claims

Police will mount raids to find missing migrants so they can be deported to Rwanda, a Cabinet minister has said.Health Secretary Victoria Atkins was commenting on reports that the Home Office has lost contact with thousands of people who are set to be removed from the...

The French #Metoo Scandal Unraveling in Weinstein’s Shadow

French actor Gérard Depardieu was ordered to stand trial for allegedly sexually assaulting two women on a film set three years ago, marking the latest legal escalation for the 75-year-old movie star who has become a central figure in France’s #MeToo movement.The announcement coincides with a...

Hong Kong Bitcoin and Ether ETFs Have Soft Debut

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired...

Customization Overview | Halo Infinite CU32

Operation: Banished Honor arrives on April 30 and you’re gonna want to look the part! After all, the Banished welcome all who pledge their service to Atriox, and your new allegiance and mindset demands a new outfit, so let’s find out more about the customization that...

T20 World Cup 2024 Squads: From India To Australia, Check Here Team-Wise Full Players List, Venues, Fixture, Timings And More

ICC T20 World Cup 2024 Cricket Matches Full Schedule: The T20 World Cup 2024 promises to be an exhilarating showcase of cricketing talent from around the globe. With teams from various nations competing for the prestigious title, fans can expect intense matches filled with thrilling moments...

How the Twins’ summer sausage celebration got made: It sparked the offense, but should they eat it?

CHICAGO — With Abe Froman unavailable, I called sausage expert Elias Cairo to address Rocco Baldelli’s concerns about a potentially hazardous pre-encased meat currently residing in the Minnesota Twins clubhouse.Nearly a week after it arrived and with the package showing visible signs of wear, tear and...