Over a year ago, we learned that Microsoft customers who applied the default configurations for Power Apps portals ended up exposing millions of internal records. In the same vein, the Redmond tech giant has now issued an advisory about a similar misconfiguration that also resulted in customer data being exposed.
The Microsoft Security Response Center (MSRC) has published an advisory explaining that it was informed of the problem dubbed "BlueBleed" by security researchers at SOCRadar on September 24. Basically, a misconfiguration in an Azure Blob Storage bucket led to data between Microsoft, prospective customers, and authorized partners being accessible publicly. The data at stake included names, email addresses, email content, company name, phone numbers, and file attachments.
While Microsoft has acknowledged SOCRadar's report, it has expressed disappointment at how the security firm handled the disclosure. It says that the numbers in SOCRadar's report were exaggerated, with the firm calling it "one of the largest B2B leaks in recent years" which exposed the data of 65,000 entities across 111 countries. Microsoft claims that a lot of the data in question was just duplicates and that the scope of this misconfiguration has been blown out of proportion by SOCRadar. It has lamented that the firm failed to update its blog post even after a complaint by the Redmond tech giant.
Additionally, Microsoft called SOCRadar out for marketing its own threat detection tool, saying that it is "not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk". Instead, it has highlighted its own recommendations for security companies that are working on similar tools:
- to implement a reasonable verification system to ensure that a user is who it purports to be;
- to follow data minimization principles by scoping the results delivered solely to information pertaining to that verified user only;
- where that company is not in a position to determine with reasonable fidelity which customers had affected data, to not then surface to a given user information (including metadata/filenames) that may belong to another customer.
Microsoft has clarified that while there was potential for unauthorized access to the bucket, its investigation has revealed no such activity took place at the endpoint. Regardless, the issue has now been patched and the company has reached out to impacted customers.