September 29, 2023

Microsoft has addressed a critical security flaw impacting Power Platform, which could lead to unauthorized access and subsequently disclose sensitive information.

The flaw arises as a result of insufficient access control to Azure Function hosts, leading to a scenario where a threat actor could intercept OAuth client IDs and secrets, as well as other forms of authentication.

Researchers initially discovered and reported the details to Microsoft on March 30, 2023, said the problem could enable limited, unauthorized access to cross-tenant applications and sensitive data. Microsoft is said to have issued an initial fix on June 7, 2023, but it wasn’t until August 2, 2023, that the vulnerability was completely resolved.


The months-long delay in patching the flaw attracted scrutiny, and Microsoft was slammed for being “grossly irresponsible, if not blatantly negligent.” What you hear from Microsoft is ‘just trust us,’ but what you get back is very little transparency and a culture of toxic obfuscation.”

Microsoft, in the advisory, said it follows an extensive process of investigating and deploying fixes and that developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix. Some can be completed and safely applied very quickly, others can take longer.

In order to protect our customers from an exploit of an embargoed security vulnerability, we also start to monitor any reported security vulnerability of active exploitation and move swiftly if we see any active exploit.

Microsoft Statement

This vulnerability was documented by researchers from Tenable

Leave a Reply

%d bloggers like this: