Microsoft 365 guests + Power Apps = security nightmare • The Register
Sign in / up
Topics
Special Features
Vendor Voice
Resources
Black Hat and DEF CON
This article is more than 1 year old
Microsoft 365 guest accounts + Power Apps = security nightmare
A login, a PA trial license, and some good old hacking are all that’s needed to nab SQL databases
Thu 10 Aug 2023 // 18:30 UTC
Black Hat Microsoft 365 guest accounts aren’t nearly as secure as Redmond would lead customers to believe, as low-code security expert Michael Bargury demonstrated at Black Hat.
Guest accounts are commonly used by Microsoft shops to give non-employees access to their 365 tenancy with limited permissions, usually just access to a Teams channel and Sharepoint. There are a few other things that guest accounts can get into to, however, and it’s Power Apps, Microsoft’s low-code platform, where problems can bubble.
Guest accounts, by default, don’t have Power Apps licenses assigned to them, but there’s an easy way around this, Bargury said during the Black Hat talk, “ All You Need is Guest”: Power Apps trial licenses.
Armed with a compromised or obtained guest account and a Power Apps trial license (available free to anyone who wants one from the Power Apps website), all an attacker needs to do is log in to Power Apps and switch directories to the target tenant they’re a guest user on, and voila: they can see a list of all the Power Apps connections their account has access to, and can even create applications inside the tenant. With enough work, the attacker can potentially make off with gobs of internal data.
“But wait,” you may be thinking at this point, “that shouldn’t matter if a company is practicing good access management.” That would be true, but it’s here that Bargury’s experience as co-founder and CTO of Zenity, a low-code/no-code security and governance startup, comes into play: he says many companies aren’t.
While Microsoft shares some responsibility for allowing Power Apps trial users to gain access to – and create – apps in guest tenancies without appropriate controls, “business users are building things in Power Apps and not properly restricting access,” Bargury said.
Bargury added that many organizations embed credentials into Power Apps to make them easier for various employees to use, and argued many business users who create apps don’t understand the implications of simply sharing them across a whole organization - which includes guest accounts - instead of being granular in granting access.
“It’s important to note that all of this is made possible by user mistakes,” Bargury told us.
If you have Power Apps in your infrastructure, double check what guests can access.
From trial license to data breach
All of what Bargury demonstrated in the first bit of his talk was relatively straightforward: the attacker gets access to a guest account on the target Microsoft 365 tenant, snags a Power Apps trial license, and hopes that the Power Apps users in their target tenant have provided access to some juicy internal apps.
It’s here that Microsoft’s default data loss prevention policies (DLP) come into play: they block connectors in existing apps from being accessed by 365 trial accounts. As mentioned above, however, guest accounts on a trial license can create their own Power Apps, and with some clever API manipulation can essentially side-step DLP policies, we’re told, to go right to the source: the connectors themselves, which are all too willing to dump any and all data contained in the databases they’re linked to.
- Those low-code tools devs love so much? They’ll grow 20% in 2023, says Gartner
- Meet TeamT5, the Taiwanese infosec outfit taking on Beijing and defeating its smears
- Scribble to app: Microsoft’s Power Apps VP talks us through ‘Express design’
- TETRA radio comms used by emergency heroes easily cracked, say experts
During his talk, Bargury demonstrated the use of a tool he built called Powerpwn that was able to gain access to, and dump data from, all sorts of Azure and SQL databases used by Power Apps, including a test database that contained customer information like social security numbers.
Permission: Impossible – or at least less likely, please
Bargury told us Microsoft has been a strong and willing collaborator in addressing the weaknesses he discovered, and that the Azure titan is working on a patch for the Power Apps DLP bypasses that he discovered, in addition to working to prevent guest accounts from creating Power Apps apps as well.
As for Power Apps users, it’s time to start cutting down on those doling out organization-wide access to internal apps, regardless of what Microsoft fixes or doesn’t. It also might not be a bad idea to start requiring users to sign in to individual Power Apps, or at least not embedding shared credentials into apps the entire company can use.
Along with his talk, Bargury provided sample code, additional details, and code to help companies determine if such vulnerabilities exist in their own environments. ®
Sponsored: Is your password ecosystem ready for the regulators?
Share
More about
More like these
×
More about
Narrower topics
Broader topics
More about
Share
More about
More like these
×
More about
Narrower topics
Broader topics
TIP US OFF
Other stories you might like
Russia, hotbed of cybercrime, says nyet to ethical hacking bill
Politicians uneasy over potential impact on national security, local reports say
Security11 days | 4
EU cloud gang wins Microsoft concessions, but fair software licensing group brands them ‘stalling tactic’
Updated Pay-as-you-go model, privacy protections agreed – but critics say it just buys ‘Microsoft more time to lock in customers’
PaaS + IaaS3 days |
A software-defined radio can derail a US train by slamming the brakes on remotely
Updated Neil Smith has been trying to get the railroad industry to listen since 2012, but it took a CISA warning to get there
Security7 days | 74
AI and virtualization are two major headaches for CIOs. Can storage help solve them both?
It’s about evolution not revolution, says Lenovo
Sponsored feature
Suspected Chinese cybersnoop grounded in Italy after US tipoff
Zewei Xu’s family reportedly bemused at arrest as extradition tabled
Security13 days | 10
Security shop Adarma ceases trading, confirms it will enter administration
Former staffers of struggling UK biz say they don’t expect to be paid for July
Security5 days | 1
IT consultancy settles US battle over alleged $14.75M government contract fraud
Outfit was accused of charging for specialist IT labor performed by uncertified folks
Public Sector6 days | 2
AMD warns of new Meltdown, Spectre-like bugs affecting CPUs
Low-severity bugs but infosec pros claim they are a ‘critical’ overall threat – patch accordingly
Security12 days | 27
Scattered Spider crime spree takes flight as focus turns to aviation sector
Time ticking for defenders as social engineering pros weave wider web
Cyber-crime21 days | 2
23andMe’s new owner says your DNA is safe this time
Nonprofit TTAM assures everything is BAU. Whether that makes customers feel better is another matter
Cyber-crime19 days | 18
It’s 2025 and almost half of you are still paying ransomware operators
Infosec in Brief PLUS: Crooks target hardware crypto wallets; Bad flaws in Brother printers; ,O365 allows takeover-free phishing; and more
Security22 days | 2
Supply chain attacks surge with orgs ‘flying blind’ about dependencies
Who is the third party that does the thing in our thing? Yep. Attacks explode over past year
CSO26 days | 4
