Microsoft Power BI is apparently exposing user data online

News
By published

Microsoft is calling it a feature, not a bug

Power BI Teams app
(Image credit: Power BI)

Cybersecurity researchers from the Nokod Research Team have discovered Power BI, Microsoft’s business intelligence tool, is leaking sensitive data in a way that’s quite simple to extract.

In a blog post detailing the findings, Nokod said the vulnerability affects “tens of thousands” of organizations globally, and that malicious actors could abuse the flaw to grab sensitive data such as employee, customer, business, and government information.

Protected health information (PHI), as well as personally identifiable information (PII), can also be accessed, the researchers said. All of this can be done online and anonymously.

Easy to exploit

Describing the issue, Nokod said that every Power BI report is built on top of a semantic model - meaning all of the data used for visualization. The report object is the one defining which data becomes visible in the UI, and how. Now, when a user shares a report object with other people, those people can access all of the underlying raw data represented by the semantic model. 

In other words, detailed data records used to display aggregations in the report’s UI, tables that are included in the semantic model and are not displayed in the report at all (even when these tables are explicitly marked as “hidden” in the model), non-displayed columns of tables not visible in the report’s UI (as details or aggregations, and even when these columns are explicitly marked as “hidden” in the model), detailed data records of tables that are used in the display, even if the display filters out these records, all of this can be accessed. To make things worse, Nokod says extracting this data is “very easy”.

“This behavior affects reports that are accessible inside an organization as well as reports that are published to the web,” they said, adding that they found numerous publicly accessible reports via search engines, and were able to extract sensitive data from them. 

Nokod tipped Microsoft off on its findings, but the Redmond software giant said this was not a bug, but a feature. 

“Microsoft’s position is that the behavior we uncovered is a design choice rather than a vulnerability,” the researchers said. “Hence it is the responsibility of organizations who create and share the reports to create them in a way that does not disclose any sensitive information.”

The researchers said they disagree with Microsoft and shared a list of things to do to help organizations protect their data while creating reports, as well as a free risk assessment tool, both of which can be found here

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
A person at a laptop with a cybersecure lock symbol floating above it.
A worrying security flaw could have left Microsoft SharePoint users open to attack
OneDrive on a Laptop
Microsoft One Drive for Business might not be storing your data as securely as you might hope
Data Breach
Thousands of widely-used public workspaces are leaking data
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
A top online gift card store may have exposed private data on hundreds of thousands of users
Data leak
Popular online bill paying site leaks data of thousands of users
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
More about security
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
AI hallucinations

We're already trusting AI with too much – I just hope AI hallucinations disappear before it's too late
See more latest
Most Popular
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Dell Pro Max with GB300
HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard