Cybersecurity researchers at Tenable have uncovered significant security flaws in Microsoft’s Azure Health Bot Service, a platform widely used by healthcare providers to deploy AI-powered virtual assistants. These bots are designed to help manage patient interactions and administrative tasks, requiring access to sensitive health data.
The vulnerabilities discovered by Tenable allowed attackers to manipulate the service’s data-connection components. By connecting via a malicious external host and exploiting redirect codes, researchers could access internal metadata services and obtain access tokens. This breach potentially exposed sensitive data across hundreds of resources belonging to other Azure Health Bot customers.
Fortunately, Tenable promptly informed Microsoft of the issue in June, leading to a quick resolution and a bug bounty award for the discovery. Importantly, there is no evidence to suggest that this vulnerability was exploited by malicious actors before the fix was applied.
However, the incident highlights the ongoing security challenges in integrating AI technologies into healthcare services, emphasizing the need for continuous vigilance.