Summary: This content discusses a vulnerability in Power BI that allows an attacker to access hidden columns and tables in a report’s semantic model.
Threat Actor: Unknown | Unknown
Victim: Power BI users | Power BI users
Key Point :
- A user can request names of hidden columns and tables in a Power BI report’s semantic model.
- The attacker can add data to the visualization by making an API call to the appropriate endpoint.
A user can also request names of columns and tables to be queried as long as they are part of the underlying semantic model of the report. This is true even when said columns and tables are marked as “hidden” by the owner of the semantic model.
Removing filters and aggregations is very straightforward, as shown in the previous example, and requires no knowledge about the schema of the data source. However, in order to add data that is not included in the visualization, the attacker would need some knowledge about the schema. This can be obtained by another API call that is used for generating a Power BI report. For public reports, the call is a POST request to the following endpoint:
https://wabi-west-europe-f-primary-api.analysis.windows.net/public/reports/conceptualschema
A different endpoint is used for reports that are only available for users in the organization:
https://wabi-west-europe-f-primary-redirect.analysis.windows.net/explore/conceptualschema
The response of this API call includes a representation of the entire semantic model of the report, including those columns and tables that are not used in the visualization, even if those were marked as “hidden” by the creator of the report.
In the following example, we connect a SQL DB to the report and hide the “secrets” table. As you can see, it is still returned by the call to the “conceptualschema” API, and all the columns and values are accessible through the “query” API.
“An interesting youtube video that may be related to the article above”