A serious vulnerability in Microsoft Power BI allows unauthorized users to access sensitive underlying data from reports, impacting tens of thousands of organizations. This flaw enables attackers to extract additional data beyond what is displayed in the reports, including details from hidden tables and columns. The issue affects both internal and publicly shared reports, posing a risk to employee, customer, and potentially confidential data.
The vulnerability was identified by Nokod Security, but Microsoft has categorized it as a feature rather than a security concern. Power BI’s semantic models expose all data, including hidden attributes, even if only aggregated or subset data is shown in a report. This means that any user with access to a report can potentially retrieve hidden and sensitive information.
The exploitation involves making specific API calls to retrieve data from Power BI reports. Public reports use one endpoint, while organizational reports use another, which relies on a capacity object identifier for authorization. Attackers can exploit these endpoints to access both visible and hidden data from the report’s underlying semantic model.
Nokod Security’s findings indicate that this vulnerability is particularly critical for reports containing confidential information like financial or healthcare data. Attackers can leverage public or organizational reports to access and potentially misuse sensitive data. This exposure highlights the need for improved security measures to protect against such vulnerabilities.
Reference:
