A security vulnerability was identified on a major aviation companyβs public API that exposed sensitive data of over 50,000 Azure AD users. The leak stemmed from an unauthenticated JavaScript file which granted elevated Microsoft Graph permissions, risking data breaches and compliance violations. #AzureAD #MicrosoftGraph
Keypoints
- A critical security gap was found in a publicly accessible API endpoint of an aviation company.
- The vulnerability involved a JavaScript file exposing an unauthenticated API issuing privileged tokens.
- Over 50,000 usersβ personal data, including executive information, was exposed due to this flaw.
- Attackers could misuse the tokens for unauthorized data access, identity theft, and phishing attacks.
- Recommended remediation includes disabling public API access, revoking tokens, and enforcing least privilege.