Ddos 
Snapshot of the Generated Authorization Token | Image: CloudSEK
A serious data exposure incident in the aviation industry has been uncovered by CloudSEK’s BeVigil platform, revealing that more than 50,000 Microsoft Azure AD user records were publicly accessible due to a misconfigured unauthenticated API endpoint embedded in a JavaScript file.
The vulnerability originated from a JavaScript bundle containing a hardcoded endpoint which issued a Microsoft Graph API token without requiring authentication. This token had excessive permissions—namely User.Read.All and AccessReview.Read.All.
“This endpoint issued a Microsoft Graph API token with excessive permissions… typically restricted due to their ability to access full user profiles and critical identity governance data,” the report states.
Using this token, attackers could retrieve a wide array of sensitive data from Microsoft Graph, including:
- Employee names and job titles
- Email addresses and contact details
- Organizational hierarchy
- Access review configurations
- Executive leadership profiles
This kind of unauthorized access not only poses serious privacy violations but also creates a direct pathway for identity theft, privilege escalation, and spear-phishing attacks targeting high-level personnel.
The exposed API endpoint was returning live data for over 50,000 Azure AD users, and even continued delivering information for newly onboarded users.
“Data associated with over 50,000 users was accessible… Among the exposed information were personal identifiers, user principal names, access role assignments, and other governance details.”
Such exposure dramatically enlarges the attack surface and presents severe regulatory risks under privacy laws such as GDPR and CCPA.
“The exposure of personally identifiable information without proper safeguards raises serious compliance concerns,” CloudSEK emphasized.
Organizations—especially those in critical infrastructure sectors like aviation—must reevaluate how sensitive tokens are handled within front-end applications. Ensuring strict token scope management, API authentication, and code-level secrets review can mitigate similar risks.
Related Posts:
- Cyberespionage Targets Aviation: ICAO and ACAO Breached
- Sophisticated Linux Malware Campaign Targets Misconfigured Cloud Services
- Evolving Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters
- Sticky Werewolf Targets Aviation Sector in Latest Malicious Campaign
- Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
Donate