Connect with us

Hi, what are you looking for?


Management & Strategy

Microsoft Criticized Over Handling of Critical Power Platform Vulnerability

A critical Microsoft Power Platform vulnerability exposed authentication data and other secrets, but the tech giant has been accused of handling it poorly.

A critical Microsoft Power Platform vulnerability exposed organizations’ authentication data and other secrets, but the tech giant has been accused of handling it poorly.

In March, researchers at vulnerability management company Tenable discovered a critical vulnerability in Microsoft’s Power Platform. The platform, which can be connected to Microsoft 365, Azure and other apps, enables organizations to analyze data, build applications and automate processes. 

The security hole was caused by “insufficient access control to Azure Function hosts, which are launched as part of the creation and operation of custom connectors in Microsoft’s Power Platform”.

“It was possible for an attacker who determined the hostname of the Azure Function associated with the custom connector to interact with the underlying code without authentication.With one such hostname, an attacker could determine the hostnames for Azure Functions associated with other customers’ custom connectors, as they differed only by an integer,” Tenable explained in an advisory. 

Exploitation of the vulnerability could have allowed an attacker to access cross-tenant applications, and obtain authentication secrets and other sensitive data. 

Tenable researchers also warned that this was not only an information disclosure issue, “as being able to access and interact with the unsecured Function hosts and custom connector code could have further impact”. 

The flaw was reported to Microsoft in late March, but it took the tech giant several months to roll out even a partial fix, which prompted industry veteran and Tenable CEO Amit Yoran to criticize the company for its handling of the issue. 

Advertisement. Scroll to continue reading.

“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” Yoran said. 

Tenable published an advisory with limited information about the flaw on July 31 because Microsoft had only addressed the issue for new applications and promised to roll out a complete fix only by the end of September. 

Then, shortly after Yoran complained about the tech giant’s handling of the vulnerability, Microsoft implemented a fix for previously affected hosts as well and Tenable updated its advisory to include technical information and proof-of-concept (PoC) code. 

Yoran is not the only one who has criticized Microsoft in recent days over its handling of security issues. The tech giant has also faced accusations from a US official and other respected members of the cybersecurity community.  

Update: A Microsoft spokesperson told SecurityWeek that the company’s initial fix in June mitigated the issue for a majority of customers and it has now been fully addressed. Customers do not need to take any action.

“We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption,” the Microsoft spokesperson said.

Related: Chinese Cyberspies Used Forged Authentication Tokens to Hack Government Emails

Related: Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.