![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![[DEALS] FileJump 2TB Cloud Storage: Lifetime Subscription (85% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
_Suriya_Phosri_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Epic Games: Apple’s attempt to pause App Store antitrust order fails [U]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/05/epic-games-app-store.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Does the Galaxy Watch 8 ‘squircle’ design appeal to you? [Poll]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/05/galaxy-watch-8-classic-render-leak-3.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
50,000+ Azure AD Users Access Token Exposed From Unauthenticated API Endpoint
A critical security vulnerability affecting over 50,000 Azure Active Directory users has been discovered, exposing sensitive employee data through an unsecured API endpoint embedded within a JavaScript file. The incident, uncovered by cybersecurity firm CloudSEK, reveals how a single misconfiguration can grant unauthorized access to Microsoft Graph data, including executive-level information and organizational structures. The […] The post 50,000+ Azure AD Users Access Token Exposed From Unauthenticated API Endpoint appeared first on Cyber Security News.
A critical security vulnerability affecting over 50,000 Azure Active Directory users has been discovered, exposing sensitive employee data through an unsecured API endpoint embedded within a JavaScript file.
The incident, uncovered by cybersecurity firm CloudSEK, reveals how a single misconfiguration can grant unauthorized access to Microsoft Graph data, including executive-level information and organizational structures.
The vulnerability originated from a hardcoded API endpoint found within a JavaScript bundle on a publicly accessible subdomain of a major aviation company.
This endpoint, accessible without any authentication requirements, automatically issued Microsoft Graph API tokens with excessive permissions, specifically User.Read.All and AccessReview.Read.All capabilities.
.webp)
These elevated privileges typically require strict administrative oversight due to their ability to access comprehensive user profiles and critical identity governance configurations.
CloudSEK analysts noted that the exposed endpoint continued to return data for newly added users, indicating an ongoing security risk that extended beyond the initial discovery.
The researchers identified the vulnerability using their BeVigil platform’s API Scanner, which detected the unsecured endpoint during routine attack surface monitoring of the organization’s digital infrastructure.
The scope of exposed information encompasses detailed employee records, including names, job titles, contact details, reporting hierarchies, and access review configurations.
.webp)
Among the compromised data were records of senior executives, including individuals with titles such as “Chief Executive Officer,” “Co-Founder & Director,” and “Principal Cyber Security,” making them prime targets for sophisticated social engineering attacks and corporate espionage.
The incident highlights a fundamental security oversight where sensitive backend services were directly exposed through client-side code, violating basic principles of secure application architecture.
The misconfiguration demonstrates how modern web applications can inadvertently create significant attack vectors when proper security controls are not implemented.
Vulnerability Analysis
The core vulnerability stemmed from improper token management within the application’s front-end architecture.
The JavaScript file contained embedded logic that automatically generated Microsoft Graph access tokens with broad permissions, effectively bypassing Azure AD’s built-in security controls. The exposed endpoint utilized the following permission scopes:-
{
"scope": "User.Read.All AccessReview.Read.All",
"grant_type": "client_credentials"
}This configuration allowed any individual with access to the endpoint to query Microsoft Graph APIs and retrieve comprehensive organizational data.
The vulnerability exemplifies how client-side exposure of authentication mechanisms can circumvent enterprise security policies, creating unauthorized pathways into protected cloud services.
CloudSEK’s analysis revealed that the token generation occurred without proper validation or rate limiting, enabling potential attackers to extract large volumes of sensitive corporate data systematically.
Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.
The post 50,000+ Azure AD Users Access Token Exposed From Unauthenticated API Endpoint appeared first on Cyber Security News.
.png?#)
