search

starschema / mapboxgl-powerbi

Mapbox Visual for Power BI - High performance, custom map visuals for Power BI dashboards
https://appsource.microsoft.com/en-us/product/power-bi-visuals/WA104381472?tab=Overview
MIT License
34 stars 9 forks source link

[BUG] - Security issue against the token for publicly shared reports #26

Open mate-turi opened 2 years ago

mate-turi commented 2 years ago

Describe the bug When we open our web browser console, we can see Mapbox requests that clearly include our token. Thus, a malicious person could use our token on our behalf. The problem is, that the situation is the same in case of publicly shared reports on the web. If we publicly share our report, which contains Mapbox visualization, the private access token can be used by anyone.

To Reproduce Steps to reproduce the behavior:

  1. Create a report with a Mapbox visualization, fill the access token field
  2. Publish the report into the PBI Service
  3. Create embed token, share the report publicly
  4. Check the console and the network activities

Expected behavior Private access token shouldn't be exposed.

Screenshots image

aggrimm commented 2 years ago

If it were possible to use a URL-restricted access token for the mapbox visual, it seems like that would help quite a bit with this.