mapboxgl-powerbi icon indicating copy to clipboard operation
mapboxgl-powerbi copied to clipboard

Published 20 hours ago verified publisher icon mapbox

Potential security issue against the token for publicly shared reports

Open etiennetack opened this issue 3 years ago • 1 comments

Hello, I've found an issue when you restrict a token usage to a public power bi URL.

We use power bi to disseminate data, so we really need to share these reports publicly. The problem is, when you open your web browser console, you can see Mapbox requests that clearly include your token. Thus, a malicious person could use your token on your behalf. It's for that reason that, in your Mapbox account, you can restrict the usage of your token only for specific URLs, but that's not working for power bi public reports. Now, when I inspect the console, I can see that request responses returns "access forbidden".

The report public URL looks like that:

https://app.powerbi.com/view?r=<A Report Unique Id>

The publish button on power bi's online interface, when you open a report (Publish to web):

image

Thank you

etiennetack avatar Jun 30 '21 22:06 etiennetack

Bug will be handled in the new project. Your reported bug can be found here.

mate-turi avatar Aug 18 '22 06:08 mate-turi