Cybersecurity researchers have uncovered a critical vulnerability in the Microsoft SharePoint connector within Power Platform. If exploited, this flaw could have allowed threat actors to steal user credentials and launch further attacks.
How the SharePoint Connector Vulnerability Worked
The now-patched vulnerability enabled attackers to impersonate users and send unauthorized requests to the SharePoint API. According to a report from Zenity Labs shared with The easy4hub News, this could have resulted in unauthorized access to sensitive data.
Senior security researcher Dmitry Lozovoy emphasized the potential impact:
"This vulnerability could be exploited across Power Automate, Power Apps, Copilot Studio, and Copilot 365, significantly expanding the scope of possible damage. Attackers could leverage interconnected services within the Power Platform ecosystem, increasing the risk of successful attacks."
Microsoft's Response and Fix
Microsoft was alerted to the security flaw in September 2024 through responsible disclosure. The issue, rated "Important" in severity, was officially patched on December 13, 2024.
Microsoft Power Platform is a suite of low-code development tools designed for analytics, automation, and productivity. This flaw stemmed from a server-side request forgery (SSRF) vulnerability due to the "custom value" functionality within the SharePoint connector, allowing attackers to manipulate URLs within workflows.
Exploitation Requirements and Attack Scenarios
For a successful attack, a hacker would need an Environment Maker role and a Basic User role within Power Platform. This means they would have to first infiltrate the target organization and acquire these roles through other means.
Zenity Labs explained:
"With the Environment Maker role, attackers can create and share malicious apps and flows, while the Basic User role enables them to interact with resources in Power Platform. If these roles aren't already granted, attackers would need to gain them first."
Potential Attack Methods
A hacker could create a SharePoint action flow and share it with a low-privileged user, leading to a leak of their SharePoint JWT access token.
Once obtained, the token could be used to make requests on behalf of the compromised user beyond Power Platform.
The vulnerability could be extended to Power Apps and Copilot Studio by embedding a malicious Canvas app or Copilot agent.
Attackers could further spread the exploit by integrating the Canvas app into Microsoft Teams channels, allowing them to harvest tokens from multiple users.
The Larger Security Implications
This discovery highlights the security risks posed by Power Platform's interconnected services. SharePoint connectors store vast amounts of corporate data, making it crucial for organizations to maintain strict access controls.
Additionally, Binary Security recently reported three SSRF vulnerabilities in Azure DevOps, which could have allowed attackers to access metadata API endpoints and extract machine configuration details.
How to Protect Your Organization
To mitigate risks, organizations using Power Platform should:
Regularly audit user roles and permissions.
Implement multi-factor authentication (MFA) for added security.
Monitor API requests and anomalies within Power Platform.
Educate employees on the risks of interacting with unfamiliar Power Apps or shared resources.
Final Thoughts
The Microsoft SharePoint connector vulnerability underscores the importance of proactive security measures in cloud-based development environments. While Microsoft has patched the issue, businesses should remain vigilant against evolving threats that target low-code platforms.