Security News > 2023 > August > Microsoft fixes flaw after being called irresponsible by Tenable CEO
Microsoft fixed a security flaw in the Power Platform Custom Connectors feature that let unauthenticated attackers access cross-tenant applications and Azure customers' sensitive data after being called "Grossly irresponsible" by Tenable's CEO. The root cause of the issue stemmed from inadequate access control measures for Azure Function hosts launched by connectors within the Power Platform.
"It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have further impact," says cybersecurity firm Tenable which discovered the flaw and reported it on March 30th. "However, because of the nature of the service, the impact would vary for each individual connector, and would be difficult to quantify without exhaustive testing."
"To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank. They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft," Tenable CEO Amit Yoran added.
Microsoft finally resolved the issue for all customers on August 2nd after an initial fix deployed by Redmond on June 7th was tagged by Tenable as incomplete.
Redmond has since notified all impacted customers through the Microsoft 365 Admin Center starting August 4th. Even though Microsoft says the information disclosure issue was addressed for all Azure customers, Tenable believes the fix applies only to newly deployed Power Apps and Power Automation custom connectors.
Microsoft addressed the flaw after a five-month period, but not before the CEO of Tenable voiced vehement criticism against the initial response.