Sunday, July 14, 2024

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying reports, which affects tens of thousands of organizations and grants access to employee, customer, and potentially confidential data. 

By exploiting this vulnerability, attackers can extract information beyond what is visible in the reports, including additional data attributes, records, and details behind aggregated or anonymized data. 

The vulnerability was reported to Microsoft by Nokod Security, but they consider it a feature rather than a security issue, while Power BI semantic models expose all underlying data, including hidden tables, columns, and detailed records, even when only aggregated data or a subset of the data is visualized in the report. 

It grants unintended access to sensitive information for any user with access to the report, regardless of sharing permissions or filtering applied in the report view, which applies to both internal and publicly shared reports. 

Details Of Exploitation:

Public Power BI reports trigger data retrieval upon execution through a POST request to the “/public/reports/querydata” endpoint on the server. 

In contrast, organizational reports leverage a different endpoint on, specifically “/webapi/capacities/<capacityObjectId>/workloads/QES/QueryExecutionService/automatic/public/query”, which likely relies on a capacity object identifier for authorization. 

JSON representation of the requested data

It triggers individual API calls with JSON payloads specifying queries in a proprietary format, by targeting data in the report’s underlying semantic model, where users can request data from both visible and hidden columns/tables, as long as they’re part of the model. 

The first example demonstrates retrieving the “name” column from the “Products” table and filtering for products containing the letter “c,” highlighting how each visual effectively executes a custom query to fetch its specific data requirements. 

Accessible columns and values

An attacker can exploit Power BI reports to access hidden data. While removing filters and aggregations in visualizations is simple, adding unseen data requires knowledge of the data schema. 

This schema can be retrieved from a public report’s “/conceptualschema” endpoint or an organizational report’s “/explore/conceptualschema” endpoint, which exposes the entire semantic model, including hidden columns and tables, even if the report creator marked them as hidden, which empowers the attacker to craft further requests to access the hidden information. 

A vulnerability exists where a SQL table hidden within a Power BI report can still be accessed through the “query” API even though it’s not returned by the “conceptualschema” API. 

Bing for example, returned over 160,000 results

According to Nokod Security, the vulnerability is particularly concerning for organizations that share reports containing confidential information like financial data or healthcare records. 

Finding dozens of reports that could be used against people from different groups, like universities and government websites, showed that the underlying data model can be accessed through API calls and can reveal private data like PII and PHI.  


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles