Summary

CloudSEK’s BeVigil platform has recently uncovered a critical security flaw affecting a major aviation organization, exposing sensitive Azure Active Directory (Azure AD) data of over 50,000 users. The vulnerability stems from an exposed JavaScript file containing an unauthenticated API endpoint that issues elevated access tokens to the Microsoft Graph API. This exposure grants unauthorized access to detailed employee information, including executive-level data, putting the organization at significant risk of identity theft, privilege escalation, and targeted phishing attacks.

Affected Systems and/or Applications

• The Azure AD service, which is part of Microsoft’s cloud-based identity and access management solution. The exposed API allowed unauthorized access to user profiles, identity governance data, and other internal directory details stored in Azure AD. This includes sensitive information about employees, roles, access controls, and governance decisions.
• Microsoft Graph, which is the central API endpoint for interacting with Azure AD and other Microsoft services. The vulnerability was directly related to the exposure of an API endpoint that issued an access token for Microsoft Graph. This token had elevated privileges, particularly User.Read.All and AccessReview.Read.All, which provided unauthorized access to:
  • Full user profiles, contact details, and organizational structures.
  • Access review configurations and identity governance data within Microsoft services.
• JavaScript bundle embedded in the client-side code of the organization’s web applications. The JavaScript file contained the hardcoded endpoint that granted access to the Microsoft Graph API without any authentication. This file was accessible to the public, meaning attackers could discover and exploit the endpoint without needing any credentials or authentication.

Technical Details

The vulnerability discovered by CloudSEK’s BeVigil platform was traced to a misconfigured public-facing JavaScript bundle hosted on a subdomain owned by a major aviation company. Upon inspection, this script was found to contain a hardcoded reference to an internal API endpoint. Critically, this endpoint was accessible without any form of authentication or authorization, exposing it to anyone who had knowledge of its location.

This unauthenticated endpoint issued Microsoft Graph API access tokens with elevated permissions, specifically User.Read.All and AccessReview.Read.All. These scopes allow broad visibility into Azure Active Directory (AD), including full user profiles, directory structure, and access governance policies.

Using these tokens, an attacker could query Microsoft Graph endpoints such as /users and /accessReviews, retrieving sensitive details for over 50,000 Azure AD users. The data included personal identifiers, user principal names (UPNs), job titles, contact information, reporting lines, and access review configurations — all without triggering any form of access control.

Particularly concerning was the exposure of executive and high-privilege user data, which significantly increases the risk of impersonation, spear phishing, and identity-based attacks. The API continued returning information for newly added users, further compounding the risk.

The root cause was a combination of exposing sensitive logic in client-side code and failing to enforce authentication or authorization on a backend service. No rate limiting or monitoring was in place, making the endpoint trivially exploitable and difficult to detect. This reflects a serious lapse in secure API design, identity management, and frontend-backend separation.

Mitigation & Recommendations

To mitigate the risks associated with this vulnerability, the following actions should be prioritized:

• Disable Public API Access
  Restrict access to the vulnerable endpoint and implement strict authentication controls to prevent unauthorized access.
  
• Revoke Compromised Tokens
  Invalidate any exposed tokens and rotate affected credentials immediately to prevent further exploitation.

• Enforce Least Privilege
  Review and limit API token permissions to only those necessary for the application’s functionality. Tokens should follow the principle of least privilege.

• Monitor API Usage
  Implement logging and alerting to detect any abnormal or suspicious activity related to the Microsoft Graph API. You can monitor your Azure API for excessive calls by IP using below KQL:
  
  let TriggerThreshold = 1000;
  ApiManagementGatewayLogs
  | where ResponseCode == 20
  | where Method == “GET”
  | summarize APICount=count() by CallerIpAddress
  | where APICount > TriggerThreshold

• Secure Front-End Code
  Ensure sensitive API endpoints and tokens are not embedded in client-side scripts (JavaScript files) or publicly accessible repositories.

• Audit Azure AD Roles and Permissions
  Perform a comprehensive audit of Azure AD roles and permissions, ensuring that users do not have more access than required.

• Implement Rate Limiting
  Protect the API with rate limiting and anomaly detection to mitigate the risk of brute force attacks or unauthorized access attempts.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Mentioned action is required to mitigate potential exploitation by restricting access, and enhancing security monitoring. This incident underscores the importance of securing front-end components and ensuring that sensitive backend services are never directly exposed. Organizations must proactively monitor their digital infrastructure and enforce strict access controls to protect user data and maintain regulatory compliance.

References

50,000+ Azure AD Users Exposed via Unsecured API: BeVigil Uncovers Critical Flaw | CloudSEK
50,000+ Azure AD Users Access Token Exposed From Unauthenticated API Endpoint#cybersecurity #azure #api | Steven Lim