Cybersecurity researchers from the Nokod Research Team have discovered that Power BI, Microsoft’s business intelligence tool, leaks sensitive data in a way that is quite easy to extract.
In a blog post detailing the findings, Nokod said the vulnerability affects “tens of thousands” of organizations worldwide, and that malicious actors could exploit the flaw to obtain sensitive data such as employee, customer, corporate and government information.
Protected health information (PHI) and personally identifiable information (PII) are also accessible, the researchers said. All this can be done online and anonymously.
Easy to exploit
Describing the problem, Nokod said that every Power BI report is built on a semantic model, meaning all data used for visualization. The report object determines what data becomes visible in the user interface, and how. Now when a user shares a report object with other people, those people have access to all the underlying raw data represented by the semantic model.
In other words, detailed data records used to display aggregations in the report UI, tables that are included in the semantic model and not displayed in the report at all (even if these tables are explicitly marked as “hidden” in the model), undisplayed columns of tables that are not visible in the report UI (as details or aggregations, and even if these columns are explicitly marked as “hidden” in the model), detailed data records of tables that are in the display are used even if the display filters out these records, this is all accessible. To make matters worse, Nokod says extracting this data is “very simple.”
“This behavior affects reports accessible within an organization, as well as reports published on the Internet,” they said, adding that they found numerous publicly accessible reports through search engines and were able to extract sensitive data from them.
Nokod tipped Microsoft off about his findings, but the Redmond software giant said this wasn’t a bug, but a feature.
“Microsoft’s position is that the behavior we discovered is a design choice rather than a vulnerability,” the researchers said. “Therefore, it is the responsibility of organizations that create and share the reports to create them in a way that does not expose sensitive information.”
The researchers said they disagree with Microsoft and shared a list of things they can do to help organizations protect their data while creating reports, as well as a free risk assessment tool, both of which can be found here.