Entrepreneurship, Security Engineer, Innovation
An employee error at Microsoft led to the exposure of sensitive secrets and 38 terabytes of data.
Wiz, a cloud security startup, recently discovered a major exposure in Microsoft’s AI GitHub repository, which included over 30,000 internal Microsoft Teams messages. The cause? A misconfigured SAS token (Shared Access Signature) published on GitHub.
The repository, belonging to Microsoft’s AI research team, was intended to provide open-source code and AI models for image recognition. However, a SAS token was accidentally included in the Azure Storage URL shared in the public repository. This token, meant to grant access to specific files, was improperly configured to allow access to the entire storage account. To make matters worse, the token wasn’t set to read-only; it granted “full control” permissions, giving potential attackers the ability to delete or overwrite files.
The exposure left the door open for attackers to inject malicious code into the AI models, posing a significant risk to other users. In response, Microsoft conducted a comprehensive secret scan across all public repositories on GitHub, including those from partner organizations, and extended the scope to cover all SAS tokens.
Best Practices for Managing SAS URLs (Source: MSRC Blog)
Azure Storage recommends the following best practices for working with SAS URLs:
Apply the Principle of Least Privilege: Scope the SAS URL to the smallest set of resources necessary (e.g., a single blob) and limit permissions to what’s absolutely needed (e.g., read-only).
Use Short-Term SAS URLs: Always set an expiration time for SAS URLs (ideally one hour or less). Ensure clients request a new SAS URL when needed.
Handle SAS Tokens with Care: Treat SAS URLs as application secrets. Only expose them to clients who need access to the storage account.
Have a Revocation Plan: Use storage access policies to allow granular revocation of SAS tokens. Be prepared to rotate keys or remove policies if compromised.
Application Monitoring and Auditing: Enable Azure Monitor and Azure Storage logs to track authentication requests. Set up expiration policies to detect long-lived SAS URLs.
Key Takeaways
As seen in Microsoft’s case, secrets exposed in public repositories like GitHub can become easy targets for attackers. However, this issue isn’t limited to code repositories—secrets can be exposed across internal systems and SaaS solutions, leading to dangerous privilege escalation.
Secret Detection: The best way to prevent such breaches is to use a real-time secret detection engine and enforce Secret-Driven Security. Misconfigurations such as sharing tokens, granting excessive privileges, and setting tokens to never expire are often due to human error. While reducing the risk of mistakes is important, having systems in place to detect and respond in real-time is crucial.
