The good news is I hacked myself, want to know how, let me explain.
Case Study
You get invited to use a new Power App, it's functionality is to read your Outlook Calendar events for a week, where you can remove unnecessary ones and then download the list to your OneDrive. Yes I know that's a pretty terrible app but lets pretend you want to use it.
You log in, try it and works great, after 30 seconds sign off, and all is good. Well no, you just got hacked.
How, well I now have a copy of your OneDrive files and all of your inbox.
So how, well it's all down to this screen:
The app needs permission to read your calendar and save to OneDrive, but what you are not told clearly is it doesn't just have read rights for Outlook and write rights to OneDrive, but full read/write to both.
This key information is hidden behind 'view permissions', and we all know how many people actually click those links.
So on app start this single line of Power FX runs
OneDrive.Run()
And it calls this flow:
(I've included a filter to non folders and a compose to take only 3 files for the PoC)
The flow uses that OneDrive connection to read and get the content of your files. It uses the Outlook connection to read your emails, and to send it all to me.
What about the sent folder? Nope, I have full access, remember, so I delete the sent email.
But it gets worse, flows can run for 30 days (lean.microsoft.com). So this flow can wait 24 hours, and repeat, for a whole 30 days. So not only have you been hacked once, but for the next 30 days. And there is no way you can see or stop it.
So this is all the flow needs:
- Power App Trigger
- Initialises an file array
- Gets Excel files from users Document folder
- ForEach Loop
- if folder loop of folder
- if file Gets Content
- Appends to array
- Gets emails
- Creates HTML table of emails
- Sends Email with attachments and html
- Waits for send to appear
- Gets sent emails with specific subject
- Deletes them
13 Steps is all it took, add 6 more to get next level of folders, and so on. Then add a 24 hour delay and a Do until loop and now this one hack is 30.
I know there are lots of questions and possible challenges to this, but this app and flow was made in under 2 hours, so those challenges could easily be solved. And this is just once case, there is also:
- Sending emails from the account e.g approving things that shouldn't be
- Delete specific emails
- Decline meetings
- Share files
- Save to a SharePoint library instead
- Targeted so only runs on a specific individual
And many many more.
The problem is all because Microsoft broke the cardinal rule of security, that the 'Principle of Least Privilege' is king.
The principle of least privilege (PoLP) refers to an information security concept in which a user is given the minimum levels of access – or permissions – needed to perform his/her job functions. It is widely considered to be a cybersecurity best practice and is a fundamental step in protecting privileged access to high-value data and assets.
So the fact that connections are set to the highest privilege (you try to share read calendar and you give write access to emails) is a big oversight by them.
Fortunately Canvas Apps are internal business apps, so you are in a safe space, but it only takes one bad actor (a disgruntled employee or someone with a grudge) for that house of cards to fall. And because everyone is over complacent in the safe space, they are vulnerable. Don't get me wrong this isn't just a Power App issue (I even made a PoC of a Excel Macro that did the same), people should be cautious about internal emails too.
So how do we fix this, well there's 3 areas:
Microsoft
- Power Apps need to copy Google and Apple with a lot more detail with the connections (Every app shows you exactly what permissions the app is using). The actual granular permissions it uses should be shown, as in my case study the user would ask why the app was reading my OneDrive when should just be writing to.
- The option to not approve them and still use the app (even if it breaks functionality).
- A Power BI like Endorsement to say App has been checked would be a good option.
- If a App uses a Flow then the users should be able to see a view of the flow, so they know what it does.
Organisation
- Educate your users about what the risks are of giving apps permission.
- Enforce Code Reviews wherever possible.
- Limit sharing of Apps in Default. Even if just to 'everyone in organisation' is a good start, but ideally a cap so that any app shared with over x people must be reviewed.
Personal
- We all need to take responsibility for our actions, especially when it includes sharing our access.
- Don't use apps from unknown people.
- Check the permissions with the apps functionality.
- Escalate any concerns.
If this is you Bala, thank you for being my guinea pig, check your Outlook, you've just been hacked 😎
Cover image by dall-e-2
Top comments (1)
The Bait worked mate :-)...
the process is called ClickJacking Attacks.. and well documented