Home Latest Cyber Security News | Network Security Hacking Microsoft Power Platform API Threatened Due To Reply URL Flaw
Latest Cyber Security News | Network Security HackingNewsVulnerabilities

Microsoft Power Platform API Threatened Due To Reply URL Flaw

by Abeerah Hashim
written by Abeerah Hashim
Microsoft Power Platform API Threatened Due To Reply URL Flaw

Researchers discovered a reply URL flaw in Azure AD that could allow unauthorized access to Microsoft Power Platform API. Microsoft patched the flaw following the bug report, by removing the abandoned reply URL from the app.

A Reply URL Flaw Allowed Malicious Access to Microsoft Power Platform API

According to a recent post from Secureworks, a severe security flaw risked Microsoft Power Platform API to malicious access.

Power Platform is a business intelligence suite from Microsoft, constituting various software facilitating app connectivity, development, data visualization, and more.

Regarding the vulnerability, the researchers explained about discovering an abandoned reply URL in the Microsoft Azure Active Directory (Azure AD) application. Since it’s linked with Power Platform, exploiting this abandoned URL could let an adversary gain unauthorized access to Power Platform API. Given the range of explicit privileges the API exhibits, malicious access to the API risks granting elevated privileges to an adversary.

While the researchers didn’t exploit the vulnerability to a greater extent, they did demonstrate the exploit via a PoC. Their post described how they could redirect authorization tokens to gain admin privileges within the Power Platform.

In brief, the attack begins by tricking the victim user into clicking a malicious link that redirects to the reply URL claimed by the adversary. Next, the attacker’s server exchanges the authorization code in the URL parameter for the access token. In the last step, the researchers demonstrated calling the middle-tier service using the access token. However, they explained that an attacker could exchange authorization codes for access tokens directly without involving the middle-tier service.

Microsoft Patched The Vulnerability

Upon discovering the vulnerability, the researchers reported the vulnerability to Microsoft in April 2023. Following their report, Microsoft acted promptly to develop a patch, releasing it with an immediate Azure AD update the following day. The tech giant removed the abandoned reply URL from the Azure AD application to address the flaw.

Let us know your thoughts in the comments.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Multiple Vulnerabilities Found In Forminator WordPress Plugin

Palo Alto Networks Patched A Pan-OS Vulnerability Under...

Apple Removed Numerous Apps From China App Store

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...