Summary
Secureworks researchers discovered an Azure AD application with an abandoned reply URL related to Microsoft Power Platform. An attacker could leverage this URL to redirect authorization codes, exchange them for access tokens, and call Power Platform API via a middle-tier service to obtain elevated privileges. Microsoft quickly addressed the issue by removing the identified abandoned reply URL from the Azure AD application.
Affected Services
Power Platform, Azure Active Directory
Remediation
None required. Microsoft has addressed the issue by removing the identified abandoned reply URL from the Azure AD application.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Wed, Apr 5th, 2023
Exploitablity Period
Until 2023/04/06
Known ITW Exploitation
-
Detection Methods
Monitor for abandoned reply URLs in Azure AD applications. Organizations should be aware that deleting the service principal or disabling users' sign-in ability for the affected app would nullify its legitimate use.
Piercing Index Rating
-
Discovered by
Secureworks Counter Threat Unit
