Cybersecurity researchers from the Nokod Research Team have discovered Power BI, Microsoft’s business intelligence tool, is leaking sensitive data in a way that’s quite simple to extract.
In a blog post detailing the findings, Nokod said the vulnerability affects “tens of thousands” of organizations globally, and that malicious actors could abuse the flaw to grab sensitive data such as employee, customer, business, and government information.
Protected health information (PHI), as well as personally identifiable information (PII), can also be accessed, the researchers said. All of this can be done online and anonymously.
Easy to exploit
Describing the issue, Nokod said that every Power BI report is built on top of a semantic model – meaning all of the data used for visualization. The report object is the one defining which data becomes visible in the UI, and how. Now, when a user shares a report object with other people, those people can access all of the underlying raw data represented by the semantic model.
In other words, detailed data records used to display aggregations in the report’s UI, tables that are included in the semantic model and are not displayed in the report at all (even when these tables are explicitly marked as “hidden” in the model), non-displayed columns of tables not visible in the report’s UI (as details or aggregations, and even when these columns are explicitly marked as “hidden” in the model), detailed data records of tables that are used in the display, even if the display filters out these records, all of this can be accessed. To make things worse, Nokod says extracting this data is “very easy”.
“This behavior affects reports that are accessible inside an organization as well as reports that are published to the web,” they said, adding that they found numerous publicly accessible reports via search engines, and were able to extract sensitive data from them.
Nokod tipped Microsoft off on its findings, but the Redmond software giant said this was not a bug, but a feature.
“Microsoft’s position is that the behavior we uncovered is a design choice rather than a vulnerability,” the researchers said. “Hence it is the responsibility of organizations who create and share the reports to create them in a way that does not disclose any sensitive information.”
The researchers said they disagree with Microsoft and shared a list of things to do to help organizations protect their data while creating reports, as well as a free risk assessment tool, both of which can be found here.