Vulnerabilities discovered in Microsoft's Azure Health Bot Service

Researchers have discovered vulnerabilities within Microsoft's Azure Health Bot Service that could lead to sensitive patient data being exposed.

Vulnerabilities discovered in Microsoft's Azure Health Bot Service
Published
1 minute & 54 seconds read time

Two cybersecurity vulnerabilities in Microsoft's Azure Health Bot Service were discovered by a team of researchers, which could have led to access to sensitive health data.

Vulnerabilities discovered in Microsoft's Azure Health Bot Service 561156156

A new report shared with The Hacker News has highlighted two security vulnerabilities that Microsoft has now patched, and according to the report, the vulnerabilities, when exploited, could have enabled a bad actor to gain access to sensitive patient data. The Azure Health Bot Service enables developers in healthcare organizations to easily implement AI virtual health assistants that are interactable by patients and can also be used to offload administrative tasks.

Additionally, these services are also used by insurance providers that allow customers to query the AI chatbot for answers on their personal insurance claim, any benefits they may be getting, and available services. Tenable's research found that an aspect of the Azure AI Health Service featured a vulnerability, which was called Data Connections. Reports indicate this mechanism was responsible for integrating data from third-party sources through an API.

"The vulnerabilities raise concerns about how chatbots can be exploited to reveal sensitive information," Tenable said in a statement. "In particular, the vulnerabilities involved a flaw in the underlying architecture of the chatbot service, highlighting the importance of traditional web app and cloud security in the age of AI chatbots."

Tenable found the API's security protections could be bypassed, enabling access for the user. As for the other vulnerability, Tenable found an endpoint related to integrating systems with Fast Healthcare Interoperability Resources (FHIR) data exchange format, was also vulnerable to the same attack as the API vulnerability.

"A threat actor could have used such access to perform privilege elevation to Global Administrator and install further means of persistence in a tenant," security researcher Eric Woodruff said. "An attacker could also use this access to perform lateral movement into any system in Microsoft 365 or Azure, as well as any SaaS application connected to Entra ID."

"An authenticated attacker can exploit a Server-Side Request Forgery (SSRF) vulnerability in Microsoft Azure Health Bot to elevate privileges over a network," said Microsoft in an advisory released on August 13, 2024.

Buy at Amazon

$10 -PlayStation Store Gift Card [Digital Code]

TodayYesterday7 days ago30 days ago
$10.00$10.00$10.00
$10.00$10.00$10.00
* Prices last scanned on 9/10/2024 at 7:40 pm CDT - prices may not be accurate, click links above for the latest price. We may earn an affiliate commission from any sales.

Jak joined the TweakTown team in 2017 and has since reviewed 100s of new tech products and kept us informed daily on the latest science, space, and artificial intelligence news. Jak's love for science, space, and technology, and, more specifically, PC gaming, began at 10 years old. It was the day his dad showed him how to play Age of Empires on an old Compaq PC. Ever since that day, Jak fell in love with games and the progression of the technology industry in all its forms. Instead of typical FPS, Jak holds a very special spot in his heart for RTS games.

Newsletter Subscription

Related Tags