According to the repository’s analysis, it contains a set of training data, open source code and artificial intelligence models for image recognition. Anyone can download a set of models from a URL on Azure Storage, the company’s own cloud service. But if you dig, you can find much more.

What is known

Wiz discovered that this URL was configured to grant “full control” rights to the entire repository account rather than “read-only” rights. Specifically, this led to the release of an additional 38 terabytes of confidential data. personal backup copies of the computers of two Microsoft employees.

The repository also contained other confidential personal information such as: Microsoft services passwords, secret keys and over 30,000 internal messages From hundreds of company employees in Microsoft Teams.

The storage account was not opened directly, but Microsoft AI developers added a SAS Public Signing permission token to the URL, which is a mechanism used by Azure that allows you to create split connections that provide access to Azure Storage account data.

No customer data was exposed and no other internal services were compromised due to this issue,
– commented in the company.

Wiz co-founder and CTO Ami Luttwak said artificial intelligence opens up huge potential for technology companies. According to him, the huge amount of data that scientists and engineers work with requires additional controls and security measures. Because many development teams need to handle large amounts of data, share with colleagues, or collaborate on publicly available open source projects, cases like Microsoft’s are becoming increasingly difficult to track down and avoid.