Cybersecurity firm Wiz has found another major vulnerability within a popular cloud-storage environment.
After identifying multiple security vulnerabilities in Microsoft’s heavily used Azure cloud services, Wiz researchers are now saying they recently found a “critical vulnerability” in the Oracle Cloud Infrastructure (OCI) that could have allowed “unauthorised access to cloud storage volumes of any customer.”
Wiz said the vulnerability was spotted in June and quickly fixed within 24 hours by Oracle, and was one of the most severe cloud vulnerabilities reported.
Called ‘#AttachMe’ by researchers, the vulnerability violated one of the most important promises of cloud storage – that a customer’s data is safe from prying eyes, according to Wiz.
Wiz engineer Elad Gabay said: “Cloud tenant isolation is a key element in cloud. Customers expect that their data isn’t accessible by other customers. Yet, cloud isolation vulnerabilities break the walls between tenants.
“Before it was patched, #AttachMe could have allowed attackers to access and modify any other users‘ OCI storage volumes without authorization, thereby violating cloud isolation.”
In his post, Gabay said that “thankfully” Oracle officials responded “extraordinarily quickly” when Wiz disclosed its findings in June.
Ironically, Wiz discovered the major vulnerability as it was integrating its cloud-security technology with OCI, after the two companies had entered into a partnership that made Wiz available on Oracle Cloud Marketplace, company officials said.
