1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Microsoft Power BI is apparently exposing user data online

    From TechnologyDaily@1337:1/100 to All on Fri Jun 21 16:00:05 2024
    Microsoft Power BI is apparently exposing user data online

    Date:
    Fri, 21 Jun 2024 15:52:43 +0000

    Description:
    Microsoft says it is a feature, not a bug, but the researchers disagree.

    FULL STORY ======================================================================

    Cybersecurity researchers from the Nokod Research Team have discovered Power BI, Microsofts business intelligence tool, is leaking sensitive data in a way thats quite simple to extract.

    In a blog post detailing the findings, Nokod said the vulnerability affects tens of thousands of organizations globally, and that malicious actors could abuse the flaw to grab sensitive data such as employee, customer, business, and government information.

    Protected health information (PHI), as well as personally identifiable information (PII), can also be accessed, the researchers said. All of this
    can be done online and anonymously. Easy to exploit

    Describing the issue, Nokod said that every Power BI report is built on top
    of a semantic model - meaning all of the data used for visualization. The report object is the one defining which data becomes visible in the UI, and how. Now, when a user shares a report object with other people, those people can access all of the underlying raw data represented by the semantic model.

    In other words, detailed data records used to display aggregations in the reports UI, tables that are included in the semantic model and are not displayed in the report at all (even when these tables are explicitly marked as hidden in the model), non-displayed columns of tables not visible in the reports UI (as details or aggregations, and even when these columns are explicitly marked as hidden in the model), detailed data records of tables that are used in the display, even if the display filters out these records, all of this can be accessed. To make things worse, Nokod says extracting this data is very easy.

    This behavior affects reports that are accessible inside an organization as well as reports that are published to the web, they said, adding that they found numerous publicly accessible reports via search engines, and were able to extract sensitive data from them.

    Nokod tipped Microsoft off on its findings, but the Redmond software giant said this was not a bug, but a feature.

    Microsofts position is that the behavior we uncovered is a design choice rather than a vulnerability, the researchers said. Hence it is the responsibility of organizations who create and share the reports to create them in a way that does not disclose any sensitive information.

    The researchers said they disagree with Microsoft and shared a list of things to do to help organizations protect their data while creating reports, as
    well as a free risk assessment tool, both of which can be found here . More from TechRadar Pro Microsoft data breach exposes employee data, company files online Here's a list of the best firewalls today These are the best endpoint protection tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/microsoft-power-bi-is-apparently-exposi ng-user-data-online


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)