Microsoft Power BI Raises Security Concerns, Reports Expose Sensitive Data
A research team at Nokod Security has identified a data leakage vulnerability in Microsoft’s Power BI. Find out more about the nature of the threat and what it implies for Power BI users.
- A research team at Nokod Security has identified a data leakage vulnerability in Microsoft’s Power BI that could affect thousands of customers.
- The vulnerability exposes semantic models’ raw data to users who do not have permission to access such data.
A security research team at Nokod Security uncovered a significant vulnerability in Microsoft’s Power BI business analytics service. The flaw reportedly exposes sensitive data through publicly accessible Power BI reports, creating a notable security risk for organizations that use the tool for reporting and data visualization.
According to the research team, Power BI reports were inadvertently configured to become publicly accessible online. Consequently, anyone with the report’s URL could access the data without authorization.
While reports can be shared with external partners, they create a URL that search engines can index when published on the web. This makes it easy for attackers to access such reports with basic search engine queries, putting information such as financial records, proprietary data, personal information, and internal business data at risk.
See More: Federal Report Reveals Key Insights to Network Access Security
Attackers can exploit search engine indexing to locate public reports and change URLs to find other reports on the same server, allowing accessible data harvesting practices. Such data leaks, in turn, can result in significant data breaches, violate user privacy, and put organizations at a disadvantage to competitors owing to the exposure of valuable information.
Microsoft responded to Nokod Security’s report, stating that Power BI’s behavior was not a vulnerability but a design choice. Nokod has recommended security measures such as removing hidden tables and columns from the report, using the Power Query expression to restrict access to data sources, and selecting only non-sensitive columns when displaying aggregate data.
The report highlights the need for safeguards, such as reviews of sharing settings, user awareness, authentication mechanisms, and frequent audits, to minimize the risk of sensitive data exposure in the future.
LATEST NEWS STORIES
