Cybersecurity researchers have provided details on a recently discovered vulnerability that affects the Microsoft on and, if properly exploited, had allow threat actors to seize a user’s credentials and launch follow-on attacks.
In a statement shared with The Hacker News ahead of publishing, Zenity Labs said in a statement that the company shared with The Hacker News that post-exploitation actions that allow the attacker to send requests to the SharePoint API on behalf of the scammed person. This could lead to unauthorized access to sensitive data.
” This risk can be exploited across Power Automate, Power Apps, Copilot Studio, and Copilot 365, which significantly broadens the scope of possible damage”, senior security scientist Dmitry Lozovoy said.
” A successful invasion is more likely to result in hackers able to target multiple interconnected services within the Energy Platform ecosystem.”
Following responsible reporting in September 2024, Microsoft addressed the security hole, assessed with an” Essential” intensity examination, as of December 13.
Microsoft Power Platform is a collection of low-code development tools that allow users to promote analysis, process technology, and data-driven performance programs.
The vulnerability, at its core, is an instance of server-side request forgery ( ) stemming from the use of the” custom value” functionality within the SharePoint connector that permits an attacker to insert their own URLs as part of a flow.
However, in order for the attack to be successful, the renegade users will need to have an Environment Maker position and the in Power Platform. Additionally, they would need to first use other means to gain access to a target organization before obtaining these positions.
They can create and share malicious resources like apps and flows with the Environment Maker role, Zenity told The Hacker News. They can run apps and interact with resources they own in the Power Platform thanks to the Basic User role. If the attacker doesn’t already have these roles, they would need to gain them first”.
In a fictitious attack scenario, a threat actor could create a flow for a SharePoint action and share it with a vulnerable ( read victim ) user, leading to the leakage of their SharePoint JWT access token.
With this captured token, the attacker could make requests for requests outside of the Power Platform on behalf of the user to whom access was granted.
That’s not all. By creating a seemingly benign Canvas app or Copilot agent to steal a user’s token and increase access, the vulnerability could be spread to other services, including Power Apps and Copilot Studio.
” You can take this even further by embedding the Canvas app into a Teams channel, for example”, Zenity noted. You can also get their tokens as easily once they have an interaction with the app in Teams, expanding your organization’s reach and promoting the attack even further.
The main takeaway is that the interconnected nature of Power Platform services can pose serious security risks, especially given the widespread use of the SharePoint connector, where a lot of sensitive corporate data is kept, and it can be challenging to ensure proper access rights are maintained in various environments.
The development comes as Binary Security revealed three SSRF vulnerabilities in Azure DevOps that could have been abused to communicate with the , allowing an attacker to learn about the machine’s configuration.