Monday, October 7, 2024
HomeCVE/vulnerabilityMicrosoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

Published on

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying reports, which affects tens of thousands of organizations and grants access to employee, customer, and potentially confidential data. 

By exploiting this vulnerability, attackers can extract information beyond what is visible in the reports, including additional data attributes, records, and details behind aggregated or anonymized data. 

The vulnerability was reported to Microsoft by Nokod Security, but they consider it a feature rather than a security issue, while Power BI semantic models expose all underlying data, including hidden tables, columns, and detailed records, even when only aggregated data or a subset of the data is visualized in the report. 

- Advertisement - EHA

It grants unintended access to sensitive information for any user with access to the report, regardless of sharing permissions or filtering applied in the report view, which applies to both internal and publicly shared reports. 

Details Of Exploitation:

Public Power BI reports trigger data retrieval upon execution through a POST request to the “/public/reports/querydata” endpoint on the wabi-west-europe-f-primary-api.analysis.windows.net server. 

In contrast, organizational reports leverage a different endpoint on pbipweu14-westeurope.pbidedicated.windows.net, specifically “/webapi/capacities/<capacityObjectId>/workloads/QES/QueryExecutionService/automatic/public/query”, which likely relies on a capacity object identifier for authorization. 

JSON representation of the requested data

It triggers individual API calls with JSON payloads specifying queries in a proprietary format, by targeting data in the report’s underlying semantic model, where users can request data from both visible and hidden columns/tables, as long as they’re part of the model. 

The first example demonstrates retrieving the “name” column from the “Products” table and filtering for products containing the letter “c,” highlighting how each visual effectively executes a custom query to fetch its specific data requirements. 

Accessible columns and values

An attacker can exploit Power BI reports to access hidden data. While removing filters and aggregations in visualizations is simple, adding unseen data requires knowledge of the data schema. 

This schema can be retrieved from a public report’s “/conceptualschema” endpoint or an organizational report’s “/explore/conceptualschema” endpoint, which exposes the entire semantic model, including hidden columns and tables, even if the report creator marked them as hidden, which empowers the attacker to craft further requests to access the hidden information. 

A vulnerability exists where a SQL table hidden within a Power BI report can still be accessed through the “query” API even though it’s not returned by the “conceptualschema” API. 

Bing for example, returned over 160,000 results

According to Nokod Security, the vulnerability is particularly concerning for organizations that share reports containing confidential information like financial data or healthcare records. 

Finding dozens of reports that could be used against people from different groups, like universities and government websites, showed that the underlying data model can be accessed through API calls and can reveal private data like PII and PHI.  

Latest articles

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...

Microsoft & DOJ Dismantles Hundreds of Websites Used by Russian Hackers

Microsoft and the U.S. Department of Justice (DOJ) have disrupted the operations of Star...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...