In early 2023 [5], researchers from Secureworks Counter Threat Unit (CTU) discovered a critical vulnerability in Microsoft’s Power Platform via the Azure Active Directory (AD) environment.
Description
The vulnerability involved an abandoned reply URL associated with the app [1], which allowed attackers to exploit it and gain access tokens and elevated privileges. This bug was promptly reported to Microsoft, who quickly addressed it by removing the abandoned reply URL [5]. The researchers also developed a scanner to search for abandoned reply URLs in Azure AD applications and found one associated with the Azure Traffic Manager profile for the Dynamics Data Integration app [5]. This app [5], which is pre-consented, was vulnerable to the attack without requiring additional consent.
The researchers observed how the client-side app used the getExternalData API endpoint on the middle-tier service [5], which made proxied requests to downstream APIs [5]. They discovered that both the Power Platform API and the Azure AD Graph API were accessible from the middle-tier service [5]. The Power Platform API [1] [2] [3] [4] [5], in particular, allows users to manage environments [5], change settings [5], and query capacity consumption [5], making it an attractive target for attackers [5].
The researchers demonstrated the vulnerability by elevating the privileges of an existing service principal on the Power Platform API and reported it to Microsoft, who released an update to address the issue [5].
To prevent similar attacks [2], organizations are advised to register the correct location for redirect URIs and properly sunset old systems. Additionally, security admins should monitor their Azure AD applications’ reply URLs [2], and the vendor hosting the API should proactively monitor for abandoned redirect URLs [3]. Secureworks is providing a tool to help mitigate this threat [4].
Conclusion
The vulnerability discovered in Microsoft’s Power Platform highlights the importance of maintaining secure practices in Azure AD applications. While Microsoft has resolved the issue [1], organizations should remain vigilant and monitor their applications’ reply URLs to prevent potential attacks. Proactive monitoring by both security admins and API vendors can also help mitigate the risk of abandoned redirect URLs. This incident serves as a reminder of the ongoing need for robust security measures and the continuous effort required to stay ahead of potential threats.
References
[1] https://community.passbolt.com/t/week-21st-aug-25th-aug-2023-week-34/8313
[2] https://www.infosecurity-magazine.com/news/reply-url-takeover-issue-azure/
[3] https://www.scmagazine.com/news/abandoned-reply-url-in-azure-ad-app-could-let-attackers-gain-privileges-to-launch-attacks
[4] https://www.silicon.co.uk/projects/software-vendors/secureworks-discovers-vulnerability-in-microsoft-identity-solution-526716
[5] https://www.secureworks.com/research/power-platform-privilege-escalation
