Microsoft's Xbox Leak and Data Breach: A Double Security Dilemma

Politics, News Sept. 21, 2023, 6:37 a.m.

Microsoft faced a major Xbox leak and an AI research teams data breach. The leaks exposed sensitive information, including employee data, due to Azure token misconfiguration.

Microsoft appears to be facing a challenging period, marked by a series of leaks that have raised eyebrows in the tech world. The most significant of these leaks, dubbed the "biggest leak in Xbox history," unveiled details about an upcoming Xbox Series X console with the codename 'Brooklin.' This new gaming console boasts a distinctive cylindrical design and is anticipated to hit the market in November later this year.

In response to the incident, Microsoft swiftly issued a statement, reassuring concerned customers that their data remained secure and that internal services had not been compromised. However, it was revealed that the AI research team had inadvertently uploaded training data containing not only open-source code but also AI models for image recognition. This created a GitHub repository that provided users with access to an Azure link, enabling them to download these valuable models.

Despite Microsoft's assurances that customer data was unharmed and internal services remained intact, the Azure storage account linked in the repository granted users complete access. This unexpected access allowed them to manipulate the stored data, including uploading, overwriting, and even deleting existing files.

The cybersecurity experts at Wiz identified the root cause of this security breach as an Azure feature known as Shared Access Signature (SAS) tokens. While SAS tokens are designed to provide restricted access rights to Azure Storage resources, the misconfiguration in this case essentially turned the link into an open door, granting unlimited access.

Recognizing the gravity of the situation, Wiz promptly reported the issue to Microsoft on June 22, 2023. Microsoft responded swiftly by revoking the SAS token on June 23, 2023. Despite subsequent scans of its public repositories, Microsoft's systems initially marked the link that triggered the breach as a false positive.

The potential consequences of such leaks falling into the wrong hands are staggering. Fortunately, in this instance, the issue was identified and resolved promptly.

Microsoft has taken proactive steps to prevent similar incidents in the future, including releasing a comprehensive set of best practices for handling SAS tokens. It is abundantly clear that users must exercise caution when using this feature and implement stringent restrictions to prevent a recurrence of such a potentially catastrophic breach.