Microsoft has disclosed that an overly permissive shared access signature (SAS) token exposed company data on GitHub from July 2020 until it was fixed this year.
The mistake was discovered by Wiz Research, who explained that the exposure related to a Microsoft GitHub repository used for sharing open source AI code and models for image recognition.
Someone created a URL to give users download access to the models, and that’s where the mistake was made: “It was configured to grant permissions on the entire storage account, exposing additional private data by mistake.”
Wiz said the URL provided access to 38TB of data, including “secrets, private keys, passwords, and over 30,000 Microsoft Teams messages”.
In a blog post, Microsoft emphasised that no customer data was exposed.
“SAS tokens provide a mechanism to restrict access and allow certain clients to connect to specified Azure Storage resources," Microsoft explained.
“In this case, a researcher at Microsoft inadvertently included this SAS token in a blob store URL while contributing to open-source AI learning models and provided the URL in a public GitHub repository.”
Since it was a configuration error, Microsoft said, no Azure vulnerability was involved.
“Like other secrets, SAS tokens should be created and managed properly. Additionally, we are making ongoing improvements to further harden the SAS token feature and continue to evaluate the service to bolster our secure-by-default posture,” the vendor said.
There was, however, a GitHub scanning issue Microsoft identified during its investigation.
Microsoft expanded GitHub’s secret scanning service to include overly permissive SAS tokens: “This system detected the specific SAS URL identified by Wiz in the ‘robust-models-transfer’ repo, but the finding was incorrectly marked as a false positive”.
That issue has also been addressed, Microsoft said.
Wiz Research reported the issue to Microsoft on July 22, 2023, and Microsoft said it revoked the token and prevented all external access to the storage account on July 23.
