A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying reports, which affects tens of thousands of organizations and grants access to employee, customer, and potentially confidential data. By exploiting this vulnerability, attackers can extract information beyond what is visible in the reports, including additional data attributes, records, and details behind aggregated or anonymized data. The vulnerability was reported to Microsoft by Nokod Security, but they consider it a feature rather than a security issue, while Power BI semantic models expose all underlying data, including hidden tables, columns, and detailed records, even when only aggregated data or a subset of the data is visualized in the report. It grants unintended access to sensitive information for any user with access to the report, regardless of sharing permissions or filtering applied in the report view, which applies to both internal and publicly shared reports. Details Of Exploitation: Public Power BI reports trigger data retrieval upon execution through a POST request to the “/public/reports/querydata” endpoint on the wabi-west-europe-f-primary-api.analysis.windows.net server. In contrast, organizational reports leverage a different endpoint on pbipweu14-westeurope.pbidedicated.windows.net, specifically “/webapi/capacities/
Source: GBHackers