Microsoft Power BI is apparently exposing user data online

Sead Fadilpašić

June 21, 2024 at 11:52 AM·2 min read

Cybersecurity researchers from the Nokod Research Team have discovered Power BI, Microsoft’s business intelligence tool, is leaking sensitive data in a way that’s quite simple to extract.

In a blog post detailing the findings, Nokod said the vulnerability affects “tens of thousands” of organizations globally, and that malicious actors could abuse the flaw to grab sensitive data such as employee, customer, business, and government information.

Protected health information (PHI), as well as personally identifiable information (PII), can also be accessed, the researchers said. All of this can be done online and anonymously.

Easy to exploit

Describing the issue, Nokod said that every Power BI report is built on top of a semantic model - meaning all of the data used for visualization. The report object is the one defining which data becomes visible in the UI, and how. Now, when a user shares a report object with other people, those people can access all of the underlying raw data represented by the semantic model.

In other words, detailed data records used to display aggregations in the report’s UI, tables that are included in the semantic model and are not displayed in the report at all (even when these tables are explicitly marked as “hidden” in the model), non-displayed columns of tables not visible in the report’s UI (as details or aggregations, and even when these columns are explicitly marked as “hidden” in the model), detailed data records of tables that are used in the display, even if the display filters out these records, all of this can be accessed. To make things worse, Nokod says extracting this data is “very easy”.

“This behavior affects reports that are accessible inside an organization as well as reports that are published to the web,” they said, adding that they found numerous publicly accessible reports via search engines, and were able to extract sensitive data from them.

Nokod tipped Microsoft off on its findings, but the Redmond software giant said this was not a bug, but a feature.

“Microsoft’s position is that the behavior we uncovered is a design choice rather than a vulnerability,” the researchers said. “Hence it is the responsibility of organizations who create and share the reports to create them in a way that does not disclose any sensitive information.”

The researchers said they disagree with Microsoft and shared a list of things to do to help organizations protect their data while creating reports, as well as a free risk assessment tool, both of which can be found here.

More from TechRadar Pro

Microsoft data breach exposes employee data, company files online
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Yahoo Finance
With just a few years until retirement, 55-year-olds haven't saved nearly enough, study finds
For Gen Xers, retirement isn’t far off, and millions of them haven't saved enough.
Yahoo Finance
Biden says Trump will make inflation worse. It's unclear if he can convince voters.
Joe Biden is likely to make a case on the debate stage tonight that Donald Trump will make inflation worse. Whether voters believe him is another matter entirely.
Engadget
Check out what Microsoft's Keystone streaming device might have been
Get a behind-the-scenes look at what Microsoft's proposed Keystone streaming device would have looked like if it had come to fruition.
Yahoo Sports
2024 NBA Draft grades: First-round pick-by-pick analysis
Here are Yahoo Sports' complete first-round draft grades.
Yahoo Sports
NBA Draft: Lakers select Tennessee star Dalton Knecht with No. 17 overall pick after surprising slide
Dalton Knecht, 23, was the oldest player selected in the draft when the Lakers picked him at No. 17.
Yahoo Personal Finance
Best credit cards for wedding expenses (June 2024)
Whether you’re going all-out for a destination wedding or having a small ceremony near home, these credit cards can help you save money on your nuptials.
Yahoo Sports
NBA Draft: Timberwolves trade with Spurs for No. 8 pick Rob Dillingham
Fresh off a breakout season, the Minnesota Timberwolves traded into the lottery Wednesday night.
Engadget
An ID verification service that works with TikTok and X left its credentials wide open for a year
An ID verification service that works with TikTok and X left its credentials wide open for a year. This means that hackers could potentially have accessed sensitive data, like drivers’ licenses.
Yahoo Sports
Nic Claxton agrees to 4-year, $100 million deal to return to Nets: Report
Nic Claxton isn't going anywhere.
Yahoo Life Shopping
The best 4th of July sales to shop now from Amazon, Walmart, Target and more
From TVs to mattresses to home appliances, the biggest retailers already have stellar savings ahead of the holiday.
Yahoo Sports
Fanatics CEO's initial reaction to MLB uniform fiasco: 'We f***ed this up'
The better analysis of MLB's new uniforms turned out to be "Nike f***ed this up."
Engadget
Surface Pro Copilot+ review: The best Surface tablet ever made, no thanks to AI
The Surface Pro is the fastest and most efficient Microsoft tablet we’ve seen yet, especially when paired together with its Flex keyboard. The new OLED screen is wonderful to behold and its NPU allows for powerful AI features.
Yahoo Sports
Celtics president Brad Stevens expects Kristaps Porziņģis to miss 'at least' start of next season with ankle injury suffered in Finals
Porziņģis is still consulting with doctors and expects to undergo surgery soon.
Yahoo Life Shopping
Clear weeds without bending over — this gizmo 'saves your back and time'
Stooping over to pull up pesky plants is no fun. Save your joints, with this anti-crouch, stand-up grass-grooming tool.
Engadget
A Meta ‘error’ broke the political content filter on Threads and Instagram
Meta continued to limit political content even for users who had opted in to seeing it due to an unspecified "error."
Yahoo Finance
Rivian stock soars as Volkswagen says it will invest up to $5 billion in new joint venture
Rivian shares are surged after the EV maker announced a joint venture deal with Volkswagen, crucially bringing fresh capital into Rivian’s coffers.
Yahoo Life Shopping
Facebook bargain hunters say this $5 mascara creates the 'longest lashes ever'
'I’m 60 and I have worn mascara since I was 14 — NONE compare': Fans love this smudge-proof, irritation-free, no-flake formula.
Yahoo Life Shopping
Dick's Sporting Goods' 4th of July sale features Patagonia, Solo Stove and more
We're seeing fireworks-worthy deals — up to 85% off! — on leggings and outdoor gear, plus Brooks, Nike and Yeti.
Yahoo Sports
Concern for Cole, Padres-Nationals beef, college baseball drama & who might be in the Home Run Derby
Jake Mintz and Jordan Shusterman examine if there’s reason for concern with Gerrit Cole after two rough outings, drama within the college baseball world, who might be participating in the 2024 Home Run Derby and ask why some players don’t have a home run yet this season.
Yahoo Tech
How to clean your Apple AirPods and why you should sanitize them often
Whether you use Apple’s AirPods Pro, AirPods Max or just regular AirPods, there’s a safe and effective way to keep them clean.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Microsoft Power BI is apparently exposing user data online

Easy to exploit

More from TechRadar Pro

Recommended Stories

With just a few years until retirement, 55-year-olds haven't saved nearly enough, study finds

Biden says Trump will make inflation worse. It's unclear if he can convince voters.

Check out what Microsoft's Keystone streaming device might have been

2024 NBA Draft grades: First-round pick-by-pick analysis

NBA Draft: Lakers select Tennessee star Dalton Knecht with No. 17 overall pick after surprising slide

Best credit cards for wedding expenses (June 2024)

NBA Draft: Timberwolves trade with Spurs for No. 8 pick Rob Dillingham

An ID verification service that works with TikTok and X left its credentials wide open for a year

Nic Claxton agrees to 4-year, $100 million deal to return to Nets: Report

The best 4th of July sales to shop now from Amazon, Walmart, Target and more

Fanatics CEO's initial reaction to MLB uniform fiasco: 'We f***ed this up'

Surface Pro Copilot+ review: The best Surface tablet ever made, no thanks to AI

Celtics president Brad Stevens expects Kristaps Porziņģis to miss 'at least' start of next season with ankle injury suffered in Finals

Clear weeds without bending over — this gizmo 'saves your back and time'

A Meta ‘error’ broke the political content filter on Threads and Instagram

Rivian stock soars as Volkswagen says it will invest up to $5 billion in new joint venture

Facebook bargain hunters say this $5 mascara creates the 'longest lashes ever'

Dick's Sporting Goods' 4th of July sale features Patagonia, Solo Stove and more

Concern for Cole, Padres-Nationals beef, college baseball drama & who might be in the Home Run Derby

How to clean your Apple AirPods and why you should sanitize them often