Unauthenticated API Endpoint Exposes Access Tokens of 50,000+ Azure AD Users

CloudSEK’s BeVigil platform has uncovered a critical security vulnerability affecting an aviation industry giant, where an exposed JavaScript file containing an unauthenticated API endpoint granted unauthorized access to Microsoft Graph tokens with elevated privileges.

The security lapse resulted in the exposure of sensitive data belonging to more than 50,000 Azure Active Directory users, including executive-level personnel and confidential organizational information.

Technical Details

BeVigil’s API Scanner identified the security flaw within a JavaScript bundle that contained a hardcoded endpoint accessible without authentication requirements.

The vulnerable endpoint was configured to issue Microsoft Graph API tokens with excessive permissions, specifically User.Read.All and AccessReview.Read.All scopes.

These permissions are typically restricted within enterprise environments due to their capability to access comprehensive user profiles and critical identity governance data.

The exposed endpoint presented a significant security risk as it allowed unauthorized parties to obtain valid authentication tokens that could be used to query Microsoft Graph endpoints.

Through these tokens, attackers could retrieve detailed employee information including names, job titles, contact details, organizational reporting structures, and access review configurations.

The vulnerability was particularly concerning because the endpoint continued to return records for newly added users, indicating an ongoing exposure rather than a static data leak.

Impact

The scope of the data exposure encompasses over 50,000 user accounts, with accessible information including personal identifiers, user principal names, access role assignments, and governance details.

The exposure of executive-level data creates additional risks for targeted social engineering attacks and privilege escalation attempts within the affected organization.

The security incident introduces multiple compliance risks under regulatory frameworks such as GDPR and CCPA, as personally identifiable information was accessible without proper safeguards.

The unauthorized data access creates potential vectors for identity theft, targeted phishing campaigns, and internal directory structure reconnaissance.

Token misuse could grant attackers unrestricted visibility into internal organizational hierarchies and governance decisions.

CloudSEK has recommended immediate remediation actions including disabling public API access to the vulnerable endpoint, revoking compromised tokens, and implementing strict authentication controls.

Additional security measures include enforcing least privilege principles for token scopes, implementing comprehensive API usage monitoring with logging and alerting capabilities, and securing front-end code to prevent embedding sensitive endpoints in client-side scripts.

The incident highlights the critical importance of securing front-end components and ensuring that sensitive backend services maintain proper access controls.

Organizations are advised to conduct regular audits of Azure AD roles and permissions, implement rate limiting on API endpoints, and establish anomaly detection systems to identify unusual Microsoft Graph activity.

This vulnerability underscores the necessity for proactive monitoring of digital infrastructure and enforcement of strict access controls to protect user data and maintain regulatory compliance in enterprise environments.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.