:quality(75)/cloudfront-us-east-1.images.arcpublishing.com/elcomercio/7Y6YCJBCUVHJHJFLYMAUSH6FFY.jpg "Microsoft corrected a major security flaw that compromised files and passwords of its employees | TECHNOLOGY")
Microsoft has fixed a vulnerability discovered in one of its storage servers hosted in the Azure cloud, which stored company information related to its search engine, Bing, and which could be accessed by malicious actors.
Those in charge of notifying the firm of this flaw were researchers Can Yoleri, Murat Özfidan and Egemen Koçhisarli, from the cybersecurity company SOCRadar, which helps organizations find weaknesses in their security systems.
These analysts discovered a public, open storage server hosted in Microsoft’s Azure cloud, which contained internal company information related to Bing, as shared by TechCrunch.
This server, which was not protected with any password, stored codes, ‘scripts’ and configuration files that contained passwords, keys and credentials used by Microsoft workers to access different databases and internal systems.
Cybercriminals could have used the exposed data to identify or access other company folders, which “could result in more significant data leaks and possibly compromise the services in use,” as Yoleri explained to said medium.
SOCRadar has commented, on the other hand, that it does not know how long this unprotected server was exposed on the Internet or if someone outside the cybersecurity firm would have discovered the data and files it stored.
Analysts notified Microsoft of this discovery on February 6 and it was a month later, on March 5, when the company blocked this vulnerability on its server. At the moment, it has not clarified whether during that time anyone else, other than SOCRadar, was able to access its files.
It should be remembered that the company already suffered a similar cybersecurity incident a few months ago, when it confirmed that it had exposed data corresponding to its commercial relationships with potential clients due to a misconfiguration of one of its servers.
The firm had also received notice from SOCRadar researchers, who reported the problem at the end of September, although it then assured that the investigation it had carried out showed no indication that customer accounts had been compromised.