Recent revelations about three significant security vulnerabilities in Microsoft Dynamics 365 and Power Apps Web API underscore the ever-present need for robust cybersecurity practices. Discovered by the Melbourne-based cybersecurity firm Stratus Security, these flaws have been patched as of May 2024, but not before they exposed sensitive user data to potential exploitation.
Overview of the Vulnerabilities
The identified vulnerabilities affect the Power Platform’s OData Web API Filter and the FetchXML API, components crucial for data handling and querying within these applications. The flaws could enable unauthorized access to sensitive data, such as names, phone numbers, addresses, financial details, and password hashes stored in the contacts table.
Breakdown of the Security Flaws
1. Lack of Access Control in OData Web API Filter
The first vulnerability stems from insufficient access control mechanisms on the OData Web API Filter. This loophole allows unauthorized users to query the contacts table containing sensitive data.
An attacker could exploit this vulnerability by performing a boolean-based brute-force attack to retrieve password hashes character by character. The attack proceeds as follows:
The malicious actor sends queries like
startswith(adx_identity_passwordhash, 'a')to test if the hash begins with the letter ‘a’.If unsuccessful, they iterate through the alphabet until finding a match.
This process repeats, appending characters sequentially (e.g., ‘aa’, ‘ab’), until the complete hash is reconstructed.
This method, although labor-intensive, demonstrates the critical nature of robust access controls to prevent unauthorized access.
2. Exploitation via the OrderBy Clause
The second vulnerability exploits the orderby clause within the same API. By leveraging this query parameter, attackers can extract data from specific database columns, such as the primary email addresses (‘EMailAddress1’) of users.
The use of orderby to target specific fields underscores a broader issue with insufficient query parameter validation, which leaves data tables exposed to precise, targeted attacks.
3. FetchXML API Vulnerability
The third flaw resides in the FetchXML API, which attackers can exploit to bypass access controls altogether. By crafting specific orderby queries targeting restricted columns, malicious actors can extract sensitive information without requiring descending order queries, making the attack vector even more versatile.
Unlike the previous vulnerabilities, this exploit demonstrates how minor oversights in query parameter handling can significantly broaden the scope of potential attacks, enabling bad actors to circumvent existing safeguards effortlessly.
Potential Impact of the Exploits
The combined exploitation of these vulnerabilities enables attackers to compile comprehensive datasets, including:
Password hashes
Primary email addresses
Additional personal and financial details
Once acquired, this information can be used to crack passwords, facilitate identity theft, or be sold on the dark web. The scale of the risk is amplified by the widespread use of Dynamics 365 and Power Apps across industries.
Microsoft’s Response and Mitigation Steps
Microsoft has issued patches to address these vulnerabilities, emphasizing the importance of timely updates to secure enterprise systems. Organizations using Dynamics 365 and Power Apps are strongly advised to:
Apply Updates Promptly: Ensure that all systems are running the latest patched versions.
Audit API Usage: Review and restrict API queries to limit exposure to sensitive data.
Implement Multi-Factor Authentication (MFA): Reduce the risk of unauthorized access, even if password hashes are compromised.
Monitor Network Traffic: Identify unusual query patterns that may indicate an attempted exploit.
Conduct Regular Penetration Testing: Validate system security to proactively identify and remediate vulnerabilities.
Lessons for the Industry
The discovery of these vulnerabilities highlights a broader challenge for organizations managing large-scale systems:
Constant Vigilance: Cybersecurity is an ongoing process that requires continuous monitoring and proactive measures.
Comprehensive Access Controls: Implementing robust, fine-grained access control mechanisms is critical to safeguarding sensitive data.
Collaboration with Security Researchers: Encouraging external audits and engaging with the cybersecurity community can help uncover vulnerabilities before they are exploited.
Conclusion
The vulnerabilities in Microsoft Dynamics 365 and Power Apps Web API serve as a stark reminder of the stakes involved in enterprise security. While Microsoft’s prompt action to patch these flaws is commendable, the incident underscores the need for organizations to adopt a proactive, multi-layered approach to cybersecurity. By doing so, businesses can better protect their systems, data, and customers from ever-evolving cyber threats.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : DoubleClickjacking, New Exploit Bypasses Major Website Protections
“Your writing style is engaging and clear, love it!”