Severe Security Flaws Patched in Microsoft Dynamics 365 and Power Apps Web API

Details have emerged about three now-patched security vulnerabilities in Dynamics 365 and Power Apps Web API that could result in data exposure.

The flaws, discovered by Melbourne-based cybersecurity company Stratus Security, have been addressed as of May 2024. Two of the three shortcomings reside in Power Platform’s OData Web API Filter, while the third vulnerability is rooted in the FetchXML API.

The root cause of the first vulnerability is the lack of access control on the OData Web API Filter, thereby allowing access to the contacts table that holds sensitive information such as full names, phone numbers, addresses, financial data, and password hashes.

A threat actor could then weaponize the flaw to perform a boolean-based search to extract the complete hash by guessing each character of the hash sequentially until the correct value is identified.

“For example, we start by sending startswith(adx_identity_passwordhash, ‘a’) then startswith(adx_identity_passwordhash , ‘aa’) then startswith(adx_identity_passwordhash , ‘ab’) and so on until it returns results that start with ab,” Stratus Security said.

“We continue this process until the query returns results that start with ‘ab’. Eventually, when no further…