Details have emerged about three fixed security vulnerabilities in Dynamics 365 and Power Apps Web API that could lead to data disclosure.
Disadvantages revealed by Melbourne-based cyber security company Stratus Security, were eliminated as of May 2024. Two of the three weaknesses are in Power Platform OData Web API Filterand the third vulnerability is rooted in the FetchXML API.
The root cause of the first vulnerability is the lack of access control for the OData web API filter, which allows access to table of contacts that holds confidential information for example, full names, phone numbers, addresses, financial data, and password hashes.
A threat actor could then use the flaw to perform a boolean search to extract the full hash, successively guessing each character of the hash until the correct value is determined.
“For example, we start by sending startswith(adx_identity_passwordhash, ‘a’), then startswith(adx_identity_passwordhash ‘aa’), then starts with (adx_identity_passwordhash , ‘ab’) and so on until it returns results that start with ab,” Stratus Security said.
“We continue this process until the query returns results that begin with ‘ab.’ Eventually, when no more characters return the correct result, we know we got the full value.”
A second vulnerability, on the other hand, is using the orderby clause in the same API to retrieve data from a required database table column (eg Email address1which links to the primary email address for the contact).
Finally, Stratus Security has also discovered that the FetchXML API can be used in conjunction with the contact table to access restricted columns using an orderby query.
“Using the FetchXML API, an attacker can create an orderby query for any column, completely bypassing existing access controls,” it said. “Unlike previous vulnerabilities, this method does not require orderby to be placed in descending order, which adds a level of flexibility to the attack.”
Therefore, an attacker exploiting these flaws could compile a list of password and email hashes and then crack the passwords or sell the data.
“The discovery of vulnerabilities in Dynamics 365 and the Power Apps API highlights an important reminder that cybersecurity requires constant vigilance, especially for large companies that store as much data as Microsoft,” Stratus Security said.
