A critical security flaw has exposed sensitive authentication credentials for over 50,000 Azure Active Directory users at a major aviation company, granting unauthorized access to extensive employee data and organizational structures. CloudSEK’s BeVigil platform uncovered the vulnerability through its API Scanner, which identified an exposed JavaScript file containing an unauthenticated API endpoint with hardcoded access credentials.
The compromised endpoint could issue Microsoft Graph API tokens with excessive permissions, particularly User.Read.All and AccessReview.Read.All scopes. These enhanced privileges typically remain restricted to authorized administrative personnel, yet attackers could systematically query Microsoft Graph endpoints to extract detailed employee information without any authentication requirements. Zero-day exploits often target such undiscovered vulnerabilities, making timely detection crucial for preventing data breaches.
Unauthorized attackers exploited excessive API permissions to systematically extract sensitive employee data without any authentication barriers.
The tokens granted unrestricted visibility into internal directory structures, creating direct pathways for identity theft and privilege escalation.
The breach encompassed a substantial portion of the organization’s workforce, including executive-level staff data among the exposed information. Attackers could retrieve full names, job titles, email addresses, contact details, and organizational reporting structures directly from Azure AD. Personal identifiers, user principal names, access role assignments, and sensitive governance configurations through AccessReview.Read.All permissions were accessible to unauthorized individuals. The endpoint continued returning records for newly added users, perpetuating the ongoing exposure.
Executive exposure created high-value targets for impersonation schemes and sophisticated social engineering attacks, as spear-phishing campaigns targeting high-level personnel became feasible. The vulnerability affected critical infrastructure within the aviation industry, raising concerns about operational security and potential disruption to vital services.
The exposure triggered serious compliance implications under privacy regulations including GDPR and CCPA, as personally identifiable information remained accessible without proper safeguards. Data breaches of this magnitude erode user trust and generate long-term reputational damage for affected organizations. The incident significantly increased the organization’s attack surface, leading to compliance risks under multiple regulatory frameworks. The vulnerability demonstrates how minor configuration errors can result in massive security exposures across enterprise environments.
Security experts recommend immediate remediation steps including disabling public API access, enforcing strict authentication controls, and revoking compromised tokens while rotating affected credentials.
Organizations must implement least privilege principles by limiting token scopes to necessary functions only, establish thorough logging systems to detect abnormal Microsoft Graph activity, and avoid embedding sensitive endpoints or token logic within client-side scripts to prevent similar exposures.
