A misconfigured link accidentally leaked access to 38TB of Microsoft data, opening up the ability to inject malicious code into its AI models.
The finding comes from cloud security provider Wiz, which recently scanned the internet for exposed storage accounts. It found a software repository on Microsoft-owned GitHub dedicated to supplying open-source code and AI models for image recognition.
On the affected GitHub page, a Microsoft employee had created a URL, enabling visitors to the software repository to download AI models from an Azure storage container. “However, this URL allowed access to more than just open-source models,” Wiz said in its report. “It was configured to grant permissions on the entire storage account, exposing additional private data by mistake.”
Scans from Wiz Research also indicated the Azure storage container held 38TB of data, including “passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees.”
The URL to the storage container was also created using a powerful “Shared Access Signature” or SAS token, which gave anyone visiting the link—including potential attackers—the ability to view, delete, or overwrite those files.
“This is particularly interesting considering the repository’s original purpose: providing AI models for use in training code,” Wiz said. “Meaning, an attacker could have injected malicious code into all the AI models in this storage account, and every user who trusts Microsoft’s GitHub repository would’ve been infected by it.”
Wiz reported this to Microsoft in June, and the company promptly plugged the leak. "No customer data was exposed, and no other internal services were put at risk because of this issue," Microsoft said in its own report.
The company also said the exposed storage container contained backups and internal Microsoft Teams messages belonging to two former Microsoft employees. To prevent any further leaks, Microsoft has been scanning for SAS tokens “that may have overly permissive expirations or privileges” on GitHub.
“This system detected the specific SAS URL identified by Wiz in the ‘robust-models-transfer’ repo, but the finding was incorrectly marked as a false positive,” Microsoft said. “The root cause issue for this has been fixed and the system is now confirmed to be detecting and properly reporting on all over-provisioned SAS tokens.”
Still, the incident is a reminder to securely configure access to cloud storage accounts, especially those housing large data sets. "As data scientists and engineers race to bring new AI solutions to production, the massive amounts of data they handle require additional security checks and safeguards,” Wiz added.
The company’s report goes on to detail some of the alleged security pitfalls with SAS tokens on an Azure account. But Microsoft says, “like any key-based authentication mechanism, a SAS can be revoked at any time by rotating the parent key. In addition, SAS supports fine-grained revocation at the container level, without having to rotate storage account keys.”