Microsoft's GitHub Blunder: Unintentional Data Exposure and Rapid Resolution
Microsoft inadvertently exposed personal data while sharing open-source code and AI models on GitHub. The issue involved overly permissive SAS tokens but has been resolved, with improved security measures.
The inclusion of the link was intentional, as it was meant to allow interested researchers to download pretrained models. Microsoft's researchers utilized an Azure feature called "SAS tokens," which enables users to create shareable links granting access to data in their Azure Storage account. Users have control over what information can be accessed through SAS links, whether it's a single file, an entire container, or their entire storage. In this case, Microsoft shared a link that provided access to the entire storage account, leading to the data exposure.
Wiz promptly reported the security issue to Microsoft on June 22, and by June 23, the company had revoked the SAS token. Microsoft acknowledged that its system had mistakenly identified the issue as a "false positive" during routine scans of its public repositories. To prevent similar incidents in the future, Microsoft has resolved the issue and enhanced its system's ability to detect overly permissive SAS tokens. The company emphasized the importance of creating and handling SAS tokens appropriately.
In response to the incident, Microsoft has also published a set of best practices for using SAS tokens, both for its own use and for the wider community. While the specific link identified by Wiz has been remedied, the incident highlights the potential risks associated with improperly configured SAS tokens, which could lead to data leaks and significant privacy concerns. Microsoft is committed to maintaining robust security measures to safeguard sensitive data and prevent such incidents from occurring in the future.