Azure's bot service is a cloud platform that helps healthcare professionals deploy AI-powered virtual health assistants. The Azure Health Bot Service includes a data-connection component that allow bots to interact with external data sources to retrieve information from other services that the provider may be using, such as a portal for patient information or a reference database for general medical information.
Critical vulnerabilities with Microsoft's Azure Health Bot Service that could have put people's health data at risk. Researchers found they could connect "using a malicious external host, and [set] that up to respond to any queries from the platform with 301 or 302 redirect codes indicating that the web page had been permanently moved. Those redirect responses were sent back to the [service's internal metadata service], which in turn responded with metadata that leaked the access tokens. The bug gave Tenable access to "hundreds and hundreds of resources belonging to other customers. Tenable notified Microsoft in June and it issued a fix.
【MORE】