An unsecured API endpoint buried inside a JavaScript file gave attackers the keys to the kingdom—direct access to sensitive Microsoft Graph data of thousands of employees, including top executives. CloudSEK’s BeVigil platform uncovered how this silent slip could lead to identity theft, phishing attacks, and regulatory nightmares. Here’s how it unfolded—and what your organization must do to stay safe.
CloudSEK’s BeVigil platform recently identified a critical security lapse on a publicly accessible of an aviation giant. The vulnerability stemmed from an exposed JavaScript file that contained an unauthenticated API endpoint. This endpoint granted access tokens to Microsoft Graph with elevated privileges, ultimately leading to unauthorized exposure of sensitive data belonging to more than 50,000 Azure AD users.
What Went Wrong
BeVigil’s API Scanner found that a JavaScript bundle with subdomain included on a hardcoded endpoint that was being accessed without authentication. This endpoint issued a Microsoft Graph API token with excessive permissions, specifically User.Read.All and AccessReview.Read.All. These permissions are typically restricted due to their ability to access full user profiles and critical identity governance data.
Using this token, an attacker could query Microsoft Graph endpoints to retrieve detailed employee information, including names, job titles, contact details, reporting structures, and even access review configurations. Such exposure not only undermines user privacy but also opens the door to privilege escalation, identity theft, and targeted phishing campaigns, especially since executive-level data was also exposed.
Scale and Severity
The impact is far-reaching. Data associated with over 50,000 users was accessible, and the endpoint continued to return records for newly added users. Among the exposed information were personal identifiers, user principal names, access role assignments, and other governance details. The exposure of this magnitude significantly increases the organization’s attack surface and introduces compliance risks under frameworks such as GDPR and CCPA.
Security and Compliance Implications
Unauthorized Data Access: Attackers could exploit the API to retrieve confidential employee records directly from Azure AD.
Token Misuse: The leaked token could grant unrestricted visibility into internal directory structures and governance decisions.
Snapshot of the Generated Authorization Token
Executive Exposure: The data of senior leadership was accessible, making them high-value targets for impersonation or social engineering.
Regulatory Violations: The exposure of personally identifiable information without proper safeguards raises serious compliance concerns. Data breaches erode user trust and can lead to long-term reputational harm and operational disruption.
Recommended Remediations
BeVigil suggested that following actions are implemented on priority:
Disable Public API Access: Restrict the vulnerable endpoint and enforce strict authentication controls.
Revoke Compromised Tokens: Invalidate exposed tokens and rotate affected credentials.
Enforce Least Privilege: Review and limit token scopes to only what is necessary.
Monitor API Usage: Implement logging and alerting to detect abnormal Microsoft Graph activity.
Secure Front-End Code: Avoid embedding sensitive endpoints or token logic in client-side scripts.
Review Permissions and Roles: Audit all Azure AD roles and access reviews to eliminate overprovisioned permissions.
Implement Rate Limiting: Protect API endpoints with rate controls and anomaly detection.
The Chaos Computer Club demands that the trust service provider D-Trust take responsibility and abolish the hacker paragraph.
The defendants used stolen API keys to gain access to devices and accounts with Microsoft’s Azure OpenAI service, which they then used to generate “thousands” of images that violated content restrictions.
Threat actors are abusing DocuSign's Envelopes API to create and mass-distribute fake invoices that appear genuine, impersonating well-known brands like Norton and PayPal.
On Sunday, May 5th, I received an email from a person claiming to have access to a massive leak of API documentation from inside Google’s Search division.
An exposed Trello API allows linking private email addresses with Trello accounts, enabling the creation of millions of data profiles containing both public and private information.
Starting January 10, 2024, multiple parties (Ivanti, Volexity, and Mandiant) disclosed the existence of a zero-day exploit chain affecting Ivanti Connect Secur…
ReversingLabs researchers have identified more than a dozen malicious packages targeting Roblox API users on the npm repository. This latest campaign recalls a 2021 attack.
Rapid7 discovered a new vulnerability that allows unauthenticated attackers to access the API in unsupported versions of MobileIron Core (11.2 and below).
During the fall of 2022, a few friends and I took a road trip from Chicago, IL to Washington, DC to attend a cybersecurity conference and (try) to take a break from our usual computer work.
While we were visiting the University of Maryland, we came across a fleet of electric scooters scattered across the campus and couldn't resist poking at the scooter's mobile app. To our surprise, our actions caused the horns and headlights on all of the scooters to turn on and stay on for 15 minutes straight.
When everything eventually settled down, we sent a report over to the scooter manufacturer and became super interested in trying to more ways to make more things honk. We brainstormed for a while, and then realized that nearly every automobile manufactured in the last 5 years had nearly identical functionality. If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely.
A threat actor claims to be selling public and private data of 400 million Twitter users scraped in 2021 using a now-fixed API vulnerability. They're asking $200,000 for an exclusive sale.
Learn about the unique implementations of API Hammering malware samples and how to mitigate them.
