Severe Security Flaws Patched in Microsoft Dynamics 365 and Power Apps Web API

Details have emerged about three now-patched security vulnerabilities in Dynamics 365 and Power Apps Web API that could result in data exposure.

The flaws, discovered by Melbourne-based cybersecurity company Stratus Security, have been addressed as of May 2024. Two of the three shortcomings reside in Power Platform's OData Web API Filter, while the third vulnerability is rooted in the FetchXML API.

The root cause of the first vulnerability is the lack of access control on the OData Web API Filter, thereby allowing access to the contacts table that holds sensitive information such as full names, phone numbers, addresses, financial data, and password hashes.

A threat actor could then weaponize the flaw to perform a boolean-based search to extract the complete hash by guessing each character of the hash sequentially until the correct value is identified.

"For example, we start by sending startswith(adx_identity_passwordhash, 'a') then startswith(adx_identity_passwordhash , 'aa') then startswith(adx_identity_passwordhash , 'ab') and so on until it returns results that start with ab," Stratus Security said.

"We continue this process until the query returns results that start with 'ab'. Eventually, when no further characters return a valid result, we know we have obtained the complete value."

The second vulnerability, on the other hand, lies in using the orderby clause in the same API to obtain the data from the necessary database table column (e.g., EMailAddress1, which refers to the primary email address for the contact).

Lastly, Stratus Security also found that the FetchXML API could be exploited in conjunction with the contacts table to access restricted columns using an orderby query.

"When utilizing the FetchXML API, an attacker can craft an orderby query on any column, completely bypassing the existing access controls," it said. "Unlike the previous vulnerabilities, this method does not necessitate the orderby to be in descending order, adding a layer of flexibility to the attack."

An attacker weaponizing these flaws could, therefore, compile a list of password hashes and emails, then crack the passwords or sell the data.

"The discovery of vulnerabilities in the Dynamics 365 and Power Apps API underscores a critical reminder: cybersecurity requires constant vigilance, especially for large companies that hold so much data like Microsoft," Stratus Security said.