A Microsoft Power BI vulnerability allows unauthorized access to sensitive data in reports, affecting tens of thousands of organizations and exposing employee, customer, and confidential information. Attackers can exploit this flaw to retrieve hidden data attributes, records, and details beyond what the reports display.
Microsoft Power BI Vulnerability
Nokod Security reported the vulnerability to Microsoft, but Microsoft views it as a feature rather than a security issue. Power BI semantic models reveal all underlying data, including hidden tables, columns, and detailed records, even when only aggregated data or a subset is visualized. This flaw grants unintended access to sensitive information to any user with access to the report, regardless of sharing permissions or applied filters, affecting both internal and publicly shared reports.
Public Power BI reports retrieve data via a POST request to the “/public/reports/querydata” endpoint on the wabi-west-europe-f-primary-api.analysis.windows.net server. In contrast, organizational reports use the endpoint “/webapi/capacities//workloads/QES/QueryExecutionService/automatic/public/query” on pbipweu14-westeurope.pbidedicated.windows.net, likely relying on a capacity object identifier for authorization.
API calls are triggered with JSON payloads specifying queries in a proprietary format, targeting data within the report’s underlying semantic model. Users can request data from both visible and hidden columns and tables if they are part of the model.
For example, retrieving the “name” column from the “Products” table and filtering for products containing the letter “c” demonstrates how each visual executes a custom query to fetch its specific data requirements.
Attackers can exploit Power BI reports to access hidden data by manipulating visualizations. They can retrieve the data schema from endpoints like “/conceptualschema” or “/explore/conceptualschema,” exposing hidden columns and tables. This allows attackers to craft requests accessing hidden information. A specific vulnerability lets attackers access a hidden SQL table via the “query” API, even if it’s not shown by the “conceptualschema” API.
According to Nokod Security, this vulnerability is especially worrisome for organizations sharing reports with sensitive information such as financial data or healthcare records. They found numerous reports from universities and government websites where underlying data models could be accessed via API calls, exposing private data like PII and PHI.
Leave A Comment