.webp?w=696&resize=696,0&ssl=1 "Azure AD access token leak")
CloudSEK’s BeVigil platform recently uncovered a critical security lapse that exposed sensitive data of more than 50,000 Azure Active Directory (AD) users from a major aviation giant.
The breach, which involved an unauthenticated Microsoft Graph API endpoint, underscores the ongoing risks posed by improperly secured front-end code and excessive cloud permissions.
Technical Deep Dive: How the Exposure Occurred
The vulnerability was traced to a publicly accessible JavaScript file hosted on a subdomain associated with the organization.
Upon analysis, BeVigil’s automated API Scanner detected a hardcoded endpoint within the JavaScript bundle that was being invoked without authentication.
Critically, this endpoint was issuing Microsoft Graph API access tokens with broad, high-risk permissions – specifically, User.Read.All and AccessReview.Read.All.
Why These Scopes Are Dangerous
- User.Read.All: Grants the ability to read the full profiles of all users in the directory, not just the signed-in user.
- AccessReview.Read.All: Allows access to identity governance details and access reviews, often containing role assignments and privilege escalation data.
Tokens with such scopes are typically restricted to privileged, backend processes not exposed via client-side code where they’re vulnerable to interception.
Sample Vulnerable JavaScript Snippet
javascript// Dangerous: Hardcoded endpoint returning privileged token
fetch('https://subdomain.example.com/api/get-token')
.then(response => response.json())
.then(data => {
const graphToken = data.token; // Token has User.Read.All, AccessReview.Read.All
// Token used to call Microsoft Graph APIs
});
What Could Attackers Access?
With the compromised token, any attacker could query Microsoft Graph API endpoints such as /users and /accessReviews, obtaining:
- Employee names, job titles, email addresses, and phone numbers
- Reporting and organizational structures
- Executive and privileged user data
- Access review configurations and role assignments
These details can be weaponized for social engineering, spear-phishing, identity theft, and privilege escalation attacks.
In this incident, data for newly onboarded users was also immediately at risk due to the endpoint’s dynamic access.
Massive Impact and Regulatory Risk
The scale of the exposure is severe: over 50,000 Azure AD users’ personal and professional information was accessible to anyone able to reach the endpoint.
Particularly alarming was the exposure of executive-level data, turning C-suite leaders and critical staff into prime targets for sophisticated attack campaigns.
This type of breach elevates the organization’s attack surface and brings potential compliance violations under frameworks such as GDPR and CCPA.
Unauthorized access to such a broad swath of personally identifiable information (PII) can trigger regulatory scrutiny, fines, and long-term reputational damage.
Key Security Missteps
The incident was the result of several key security missteps. First, the API endpoint was left publicly accessible without any authentication or authorization, allowing anyone to obtain sensitive access tokens.
Second, the tokens issued by this endpoint were overprivileged, granting far broader permissions than necessary for regular operation.
In addition, there was inadequate token management there were no effective mechanisms to limit or monitor how tokens were issued or used.
Finally, the sensitive logic and hardcoded endpoints were exposed in the front-end JavaScript code, making it easier for an attacker to discover and exploit the vulnerability.
Collectively, these missteps highlight the critical importance of maintaining robust security practices at every layer of application development and deployment.
Remediation
CloudSEK’s BeVigil team recommends urgent implementation of the following:
- Disable public API access and enforce authentication on all sensitive endpoints.
- Revoke and rotate all potentially compromised tokens and credentials.
- Adhere to least privilege principles review scopes and only grant permissions strictly necessary for operation.
- Implement API monitoring with logging and anomaly detection for suspicious activity.
- Refactor front-end code to eliminate exposure of sensitive endpoints and logic.
- Audit directory roles and access reviews for overprovisioned access.
This incident highlights the dangers of insufficient security hygiene in cloud-connected ecosystems, particularly when dealing with powerful APIs like Microsoft Graph.
Organizations must secure every layer of their tech stack, from front-end implementations to backend identity governance, to prevent similar breaches in an era where trust and compliance are paramount.
Vigilance and proactive security monitoring are not optional—they are essential for survival in today’s digital landscape.
.webp?resize=1600,900&ssl=1&description=Azure AD access token leak - A critical security lapse was recently uncovered by CloudSEK’s BeVigil platform, exposing sensitive data.){kind=link}