A recent vulnerability in Microsoft Power BI has left tens of thousands of organizations at risk of unauthorized access to sensitive data included in reports. This flaw allows attackers to go beyond the visible information presented in reports and extract additional data attributes, records, and detailed information that may not be intended for public viewing.
Nokod Security first reported this vulnerability to Microsoft, but the tech giant has classified it as a feature rather than a security issue. The problem lies in Power BI’s semantic models, which expose all underlying data, including hidden tables, columns, and detailed records. This means that even when only aggregated data or a subset of the data is visualized in the report, unintended users can still access sensitive information.
The exploit works by triggering data retrieval through API calls to specific endpoints on the Power BI servers. Public reports use one endpoint, while organizational reports leverage another, likely requiring a capacity object identifier for authorization. Attackers can craft custom queries in a proprietary format to request data from both visible and hidden columns/tables in the semantic model, bypassing filters and aggregations in the visualizations.
By accessing the entire semantic model through API calls, attackers can expose hidden data that the report creator may have marked as confidential. Even SQL tables that are not returned by the public schema API can still be accessed through query APIs, posing a significant security risk for organizations that handle sensitive information.
Nokod Security’s findings reveal that this vulnerability has serious implications for organizations that share reports containing confidential financial or healthcare data. The ability to access underlying data models through API calls can potentially reveal private information like Personally Identifiable Information (PII) and Protected Health Information (PHI), making it a critical concern for data security and privacy.
In light of these findings, organizations using Power BI should review their sharing permissions and access controls to ensure that only authorized users can view and interact with sensitive data. Additionally, Microsoft should address this vulnerability promptly to prevent any further unauthorized access to confidential information through Power BI reports.