Summary: Recently discovered vulnerabilities in Dynamics 365 and Power Apps Web API could lead to significant data exposure, including sensitive information such as password hashes and email addresses. These flaws, identified by Stratus Security, have been patched as of May 2024, but highlight the ongoing risks in API security.
Threat Actor: Unknown | unknown
Victim: Microsoft | Microsoft
Key Point :
- Three vulnerabilities were found in Dynamics 365 and Power Apps Web API, two in the OData Web API Filter and one in the FetchXML API.
- The first vulnerability allows unauthorized access to sensitive data in the contacts table due to lack of access control.
- The second vulnerability enables attackers to exploit the orderby clause to extract data from specific database columns.
- The FetchXML API vulnerability allows bypassing access controls to access restricted columns using crafted orderby queries.
- These vulnerabilities could lead to the compilation of password hashes and emails, posing a risk of data theft or sale.
Details have emerged about three now-patched security vulnerabilities in Dynamics 365 and Power Apps Web API that could result in data exposure.
The flaws, discovered by Melbourne-based cybersecurity company Stratus Security, have been addressed as of May 2024. Two of the three shortcomings reside in Power Platform’s OData Web API Filter, while the third vulnerability is rooted in the FetchXML API.
The root cause of the first vulnerability is the lack of access control on the OData Web API Filter, thereby allowing access to the contacts table that holds sensitive information such as full names, phone numbers, addresses, financial data, and password hashes.
A threat actor could then weaponize the flaw to perform a boolean-based search to extract the complete hash by guessing each character of the hash sequentially until the correct value is identified.
“For example, we start by sending startswith(adx_identity_passwordhash, ‘a’) then startswith(adx_identity_passwordhash , ‘aa’) then startswith(adx_identity_passwordhash , ‘ab’) and so on until it returns results that start with ab,” Stratus Security said.
“We continue this process until the query returns results that start with ‘ab’. Eventually, when no further characters return a valid result, we know we have obtained the complete value.”
The second vulnerability, on the other hand, lies in using the orderby clause in the same API to obtain the data from the necessary database table column (e.g., EMailAddress1, which refers to the primary email address for the contact).
Lastly, Stratus Security also found that the FetchXML API could be exploited in conjunction with the contacts table to access restricted columns using an orderby query.
“When utilizing the FetchXML API, an attacker can craft an orderby query on any column, completely bypassing the existing access controls,” it said. “Unlike the previous vulnerabilities, this method does not necessitate the orderby to be in descending order, adding a layer of flexibility to the attack.”
An attacker weaponizing these flaws could, therefore, compile a list of password hashes and emails, then crack the passwords or sell the data.
“The discovery of vulnerabilities in the Dynamics 365 and Power Apps API underscores a critical reminder: cybersecurity requires constant vigilance, especially for large companies that hold so much data like Microsoft,” Stratus Security said.
Source:
https://thehackernews.com/2025/01/severe-security-flaws-patched-in.html