![How to Build Scalable Access Control for Your Web App [Full Handbook]](https://cdn.hashnode.com/res/hashnode/image/upload/v1738695897990/7a5962ce-9c4a-4e7c-bdeb-520dccc5d240.png?#)
A worrying security flaw could have left Microsoft SharePoint users open to attack
User credentials were put at risk by SharePoint security issue.
- Security researchers discover a bug in Microsoft’s SharePoint connector on Power Platform
- A server-side request forgery flaw could have allowed threat actors to steal people’s login credentials
- It has been patched, but users should still update as soon as possible
Experts have warned Microsoft’s SharePoint connector on Power Platform was vulnerable to a server-side request forgery (SSRF) flaw which could have allowed threat actors to steal people’s login credentials.
Cybersecurity researchers from Zenity Labs recently detailed their findings in an in-depth technical analysis, explaining how, in essence, threat actors could use the “custom value” feature in a SharePoint connector, which would allow them to add a custom URL in a flow. To do that, they would first need to have access to an Environment Maker role, and the Basic User role, within Power Platform.
In the blog, Zenity explained why access to the Environment Maker role is essential for the attack to work: "The Environment Maker role allows you to create apps, flows, and connections, and share them with others in your organization,” the article reads. “The Basic User role enables you to run apps and interact with records you own (e.g., Account, Contact).”
Creating a flow
An attacker could create a flow for a SharePoint action, and share it with the victim, which would end up leaking their SharePoint JWT access token. The crooks could then use this token to impersonate the victim and send requests outside the Power Platform.
Zenity added that the vulnerability can be abused in Power Apps, or Copilot Studio.
"You can take this even further by embedding the Canvas app into a Teams channel, for example," Zenity noted. "Once users interact with the app in Teams, you can harvest their tokens just as easily, expanding your reach across the organization and making the attack even more widespread."
Microsoft was notified about the vulnerability in September 2024, and patched it in mid-December last year.
Microsoft SharePoint is an online collaboration and document management platform that enables organizations to store, share, and manage content, workflows, and applications securely.
You might also like
- Microsoft SharePoint flaw exploited to hack corporate networks
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
