The use of chntwp to reset the credentials to access the volume is something that could be done on Windows volumes that are stored with any cloud provider, or in an on-premises volume, he notes. "This tool has in the past been used primarily to reset passwords on a Windows machine where the passwords were forgotten, or by employees trying to gain Administrator access to their work computers; that sort of thing," Cogswell wrote in an e-mail. "As such, it's never really been considered a high security threat. But by having bootable copies of Windows in a cloud, an insider could easily make a copy of your cloud-based hard drive, take the copy home, and spend hours hacking into it using tools such as the one I described."
The vulnerability reinforces Cogswell's belief that sensitive data should not be stored in the cloud, he says. Simple encryption methods would not even protect against this vulnerability, because code can be modified in a similar way to gain access to the keys that are stored in the encrypted file to decrypt the information in some cases. Encryption methods that store the keys to the encrypted information separately from the encrypted data may be more secure, however.
A Microsoft spokesperson said security is a top priority and "a variety of security technologies and procedures (are used) to help protect customer information from unauthorized access, use, or disclosure." The company did not specifically address the ability of employees to access customer files or the vulnerability of the chntwp reset tool though. Amazon officials have not yet responded.