Researchers are urging Azure Active Directory (aka Microsoft Entra ID) users to monitor for abandoned reply URLs after revealing a critical vulnerability in the Microsoft Power Platform.
Researchers had found an abandoned reply URL address in an Azure AD application related to the low-code Power Platform. Attackers could use the URL to redirect authorization codes to themselves, exchanging these for access tokens. The threat actor could then call the Power Platform API via a middle-tier service and obtain elevated privileges.
As researchers said, Power Platform API lets users manage environments, change environment settings, and query capacity consumption. As a result, it is a prime target for threat actors seeking privileged access. We demonstrated privileged access on the Power Platform API by elevating the privileges of an existing service principal. The goal was not to further abuse this privileged access but to demonstrate that privileged actions such as elevating applications and deleting environments are possible due to the access gained via the middle-tier service.
With this, the attackers have a clear understanding about the API and could lead to additional attack methodologies. Microsoft quickly remediated the bug by removing the abandoned reply URL in question from the Azure AD application within a day.
Researchers urged security admins to keep an eye on their Azure AD applications’ reply URLs to avoid an attack scenario like the one described above.
Since the identified application is managed by the vendor, organizations cannot mitigate this issue directly. The only option would be deleting the service principal, which would nullify any legitimate use of the app. Regular monitoring for abandoned reply URLs is a must
This research was documented by researchers from Secure works.