Microsoft Copilot Studio Critical Flaw Uncovered by Tenable Team
In a recent discovery, cybersecurity firm Tenable has uncovered a critical information disclosure vulnerability in Microsoft's Copilot Studio. This vulnerability, if exploited, could potentially grant malicious actors access to sensitive information within the shared environment of Copilot Studio.
The vulnerability, which allows for server-side request forgery (SSRF), is due to improper handling of redirect status codes for user-configurable actions within Copilot Studio. This could lead to an attacker influencing the Microsoft 365 application to make server-side HTTP requests to unexpected targets or in an unexpected way.
One of the most concerning aspects of this vulnerability is that it allows a threat actor to obtain access tokens for the environment, including managed identity access tokens from the Instance Metadata Service (IMDS). This could potentially grant further access to other shared resources, such as a Cosmos DB, where sensitive information regarding the internals of Copilot Studio are stored.
The exploitation of this flaw does not require any information beyond the usage of Copilot Studio. It's important to note that this vulnerability has potential cross-tenant impact, meaning it could affect multiple customers using the Microsoft service.
Microsoft has confirmed that remediations for this issue were in place as of July 31, 2024, and no customer action is required. The identities of the individuals involved in discovering and fixing the SSRF vulnerability in Microsoft Copilot Studio have not been publicly disclosed.
Jimi Sebree, a representative from Tenable, emphasised that the Instance Metadata Service (IMDS) is a common target in cloud applications, potentially yielding sensitive information for an attacker. This vulnerability discovery follows Tenable's recent discoveries of flaws in Microsoft's Azure Health Bot service, Azure Service Tags, and three vulnerabilities in the Azure API Management service.
For more technical details, including the team's findings and proof of concept, readers are encouraged to visit the Tenable blog and the technical advisory. This incident serves as a reminder of the importance of thorough testing and security measures when releasing products in a new or rapidly expanding space.
Read also:
- Aquatech purchases Koch's Direct Lithium Extraction business, merging Li-ProTM DLE technology into the PEARLTM Technology Platform.
- Li Auto faces scrutiny after crash test involving i8 model and a truck manufacturer sparks controversy
- Emerging Investment Trends in China's Ethical Finance Sector for 2025
- Construction and renovation projects in Cham county granted €24.8 million focus on energy efficiency
