Researchers discovered a reply URL flaw in Azure AD that could allow unauthorized access to Microsoft Power Platform API. Microsoft patched the flaw following the bug report, by removing the abandoned reply URL from the app.
A Reply URL Flaw Allowed Malicious Access to Microsoft Power Platform API
According to a recent post from Secureworks, a severe security flaw risked Microsoft Power Platform API to malicious access.
Power Platform is a business intelligence suite from Microsoft, constituting various software facilitating app connectivity, development, data visualization, and more.
Regarding the vulnerability, the researchers explained about discovering an abandoned reply URL in the Microsoft Azure Active Directory (Azure AD) application. Since it’s linked with Power Platform, exploiting this abandoned URL could let an adversary gain unauthorized access to Power Platform API. Given the range of explicit privileges the API exhibits, malicious access to the API risks granting elevated privileges to an adversary.
While the researchers didn’t exploit the vulnerability to a greater extent, they did demonstrate the exploit via a PoC. Their post described how they could redirect authorization tokens to gain admin privileges within the Power Platform.
In brief, the attack begins by tricking the victim user into clicking a malicious link that redirects to the reply URL claimed by the adversary. Next, the attacker’s server exchanges the authorization code in the URL parameter for the access token. In the last step, the researchers demonstrated calling the middle-tier service using the access token. However, they explained that an attacker could exchange authorization codes for access tokens directly without involving the middle-tier service.
Microsoft Patched The Vulnerability
Upon discovering the vulnerability, the researchers reported the vulnerability to Microsoft in April 2023. Following their report, Microsoft acted promptly to develop a patch, releasing it with an immediate Azure AD update the following day. The tech giant removed the abandoned reply URL from the Azure AD application to address the flaw.
Let us know your thoughts in the comments.