New research shows that misconfigurations of a widely used web tool have led to the leaking of tens of millions of data records.
From Microsoft Advanced applications, a popular development platform, allows organizations to create web applications quickly, full of public websites and backend-related data management. Many governments have used Power Apps to quickly set up covid-19 contact tracking interfaces, for example.
However, incorrect product settings can leave large amounts of data publicly exposed on the web, which is exactly what is happening.
Researchers from the cybersecurity company UpGuard recently discovered that up to 47 different entities, including governments, large companies, and Microsoft itself, had misconfigured their power applications to expose the data.
The list includes some very large institutions, including the state governments of Maryland and Indiana and New York City public agencies, such as the MTA. Large private companies, including American Airlines and transportation and logistics firm JB Hunt, have also suffered leaks.
G / O Media may receive a commission
UpGuard researchers write that leaked databases have included many sensitive things, including “Personal information used to track COVID-19 contacts, COVID-19 vaccination appointments, social security numbers for job seekers, employee identifiers, and millions of names and email addresses.”
According to researchers, Microsoft itself apparently misconfigured several databases of Power Apps and exposed large amounts of records. One of these apparently included a “collection of 332,000 email addresses and employee identifiers used for Microsoft’s global payroll services,” the researchers write.
In June, UpGuard contacted the Microsoft Security Resource Center to submit a vulnerability report, alerting them to the widespread problem. In total, 38 million records were exposed as a result of leaks observed by researchers.
Ultimately, UpGuard concluded that Microsoft has not adequately publicized this security issue and that more should have been done to alert customers to the dangers of misconfiguration. Researchers write:
The number of accounts exposing confidential information … indicates that the risk of this feature: the probability and impact of its bad configuration– not properly appreciated. On the one hand, the product documentation describes exactly what happens if an application is configured this way. On the other hand, empirical evidence suggests that a warning in the technical documentation is not enough to avoid the serious consequences of misconfiguring OData list feeds for Power Apps portals.
Following the disclosures of UpGuard, Microsoft since then it has changed Power Apps-related default permissions and settings to make your product more secure.