Enlarge / Cosmos DB is a managed database service offering—including both relational and noSQL data structures—belonging to Microsoft's Azure cloud infrastructure. (credit: Microsoft )

Cloud security vendor Wiz announced yesterday that it found a vulnerability in Microsoft Azure's managed database service, Cosmos DB, that granted read/write access for every database on the service to any attacker who found and exploited the bug.

Although Wiz only found the vulnerability—which it named "Chaos DB"—two weeks ago, the company says that the vulnerability has been lurking in the system for "at least several months, possibly years."

A slingshot around Jupyter

• 

  Jupyter notebook functionality in CosmosDB enables many advanced data visualization techniques with relatively little coding experience or effort. [credit: Wiz ]

In 2019, Microsoft added the open-source Jupyter Notebook functionality to Cosmos DB. Jupyter Notebooks are a particularly user-friendly way to implement machine learning algorithms; Microsoft promoted Notebooks specifically as a useful tool for advanced visualization of data stored in Cosmos DB.

Enlarge / This is definitely not a Razer mouse—but you get the idea. (credit: calvio via Getty Images )

This weekend, security researcher jonhat disclosed a long-standing security bug in the Synapse software associated with Razer gaming mice. During software installation, the wizard produces a clickable link to the location where the software will be installed. Clicking that link opens a File Explorer window to the proposed location—but that File Explorer spawns with SYSTEM process ID, not with the user's.

Have mouse, will root

• 

  The "Install Location" at the lower right is a clickable link that opens a File Explorer window to browse for non-standard locations. [credit: jonhat ]

By itself, this vulnerability in Razer Synapse sounds like a minor issue—after all, in order to launch a software installer with SYSTEM privileges, a user would normally need to have Administrator privileges themselves. Unfortunately, Synapse is a part of the Windows Catalog —which means that an unprivileged user can just plug in a Razer mouse, and Windows Update will cheerfully download and run the exploitable installer automatically.

Jonhat isn't the only—or even the first—researcher to discover and publicly disclose this bug. Lee Christensen publicly disclosed the same bug in July, and according to security researcher _MG_ , who demonstrated it using an OMG cable to mimic the PCI Device ID of a Razer mouse and exploit the same vulnerability, researchers have been reporting it fruitlessly for more than a year.

Enlarge / This redacted sample record from the leaked Elasticsearch data shows someone's June 24 purchase of a $2,600 gaming laptop. (credit: Volodymyr Dianchenko )

In August, security researcher Volodymyr Diachenko discovered a misconfigured Elasticsearch cluster, owned by gaming hardware vendor Razer, exposing customers' PII (Personal Identifiable Information).

The cluster contained records of customer orders and included information such as item purchased, customer email, customer (physical) address, phone number, and so forth—basically, everything you'd expect to see from a credit card transaction, although not the credit card numbers themselves. The Elasticseach cluster was not only exposed to the public, it was indexed by public search engines.

I must say I really enjoyed my conversations with different reps of @Razer support team via email for the last couple of week, but it did not bring us closer to securing the data breach in their systems. pic.twitter.com/Z6YZ5wvejl

— Bob Diachenko (@MayhemDayOne) September 1, 2020

Diachenko reported the misconfigured cluster—which contained roughly 100,000 users' data—to Razer immediately, but the report bounced from support rep to support rep for over three weeks before being fixed.