Cybersecurity researchers from the Nokod research team have discovered that Power BI, Microsoft's business intelligence tool, is leaking sensitive data in a way that is quite easy to extract.
In a blog post detailing the findings, Nokod said the vulnerability affects “tens of thousands” of organizations around the world, and that malicious actors could abuse the flaw to obtain sensitive data, such as employee, customer, etc. information. companies and government.
Protected health information (PHI) as well as personally identifiable information (PII) can also be accessed, the researchers said. All of this can be done online and anonymously.
Easy to exploit
Describing the problem, Nokod said that each Power BI report is built on a semantic model, that is, all the data used for visualization. The report object is what defines what data becomes visible in the user interface and how. Now, when a user shares a report object with other people, those people can access all of the underlying raw data represented by the semantic model.
In other words, detailed data records used to display aggregations in the report UI, tables that are included in the semantic model and are not displayed in the report at all (even when these tables are explicitly marked as “hidden”). in the model), undisplayed columns from tables that are not visible in the report user interface (as details or aggregations, and even when these columns are explicitly marked as “hidden” in the model), detailed data records from the tables that are used in the display, even if the display filters these records, all of this can be accessed. To make matters worse, Nokod says that extracting this data is “very easy.”
“This behavior affects reports that can be accessed within an organization, as well as reports that are published on the web,” they said, adding that they found numerous publicly accessible reports through search engines and were able to extract confidential data from them.
Nokod notified Microsoft of its findings, but the Redmond software giant said this was not a bug, but a feature.
“Microsoft's position is that the behavior we discovered is a design choice rather than a vulnerability,” the researchers said. “Therefore, it is the responsibility of the organizations that create and share the reports to create them in a way that does not reveal any sensitive information.”
The researchers said they disagree with Microsoft and shared a list of things they can do to help organizations protect their data while creating reports, as well as a free risk assessment tool, both of which can be found here.
