getToken Publicly Available?

[jman23]

First off, thanks for this wonderful plugin. We've been using it over a year now and it works great.

Just recently I noticed some logs on our WP server that show a call to https:///wp-json/wp/v2/powerbi/getToken about every 10 minutes or so.

For fun, I copied the URL and pasted it into an incognito window, which is not authenticated to our site, and noticed I receive, what seems to be the access token back even though I'm not authenticated...

• I'm just starting to dig into this, but would appreciate any insight on what I'm experiencing when hitting this URL manually...
• Should this getToken response be available when I'm not authenticated to the site?
• Can anything malicious be done by having this publicly available?
• Is there a way to disable this to the public? Maybe the hosting provider I have is caching this somehow?

Appreciate your feedback.

[rnehrboss]

@jman23 anything new on this? Did you figure out if this is a security issue?

Appreciate it!

[jman23]

@rnehrboss - I believe this may still be a vulnerability if no other safeguard is implemented to lock down the getToken functionality to the public.

I ended up hardening my WP to disable any calls to that function from the public.

I haven't tried copying the getToken response and using it as the access token, but my guess is it would work.

[rnehrboss]

@jman23 thanks for quick feedback. Are you doing any customer filtering based on WP login, since this is App owns data (right?) ?

[jman23]

@rnehrboss - Yes, I'm filtering and allowing customers to view reports based on their role. In WP, each customer/organization is assigned a role. I then assign Power BI reports to the specific roles. If someone within the same org needs a more limited view, I just create another role to limit their access. I'm using various 3rd party plugins for this workflow.

[rnehrboss]

@jman23 Makes a lot of sense. Not sure where the link between the WP role and the Power BI filter comes in. Looked at your site. You guys are doing great work. Are you the dashboard designer?

[pbenzoni]

Just chiming in from Atlas on this issue.

GetToken returns a bearer token that allows the browser to display the Power BI report. If you look at the 'subscribe' call, (either on your site or @ powerbi.com) this uses that token as an authorization bearer token.

In theory, this token could be used for (I think) 24 hours to access your report. (but not the underlying data)

As to whether or not it should be accessible to the public, that depends on your use case--if your report is behind a password or requires a user to login to access it, it shouldn't be public. I'll look into how, if at all, the plugin can address this issue. I think something should be possible.

In the meantime, there are a number of plugins that prevent direct access to wordpress resources: https://wordpress.org/plugins/prevent-direct-access/ I haven't researched them much, but I think you could find one that blocks access to a certain URL without being properly authenticated on the site.