New research shows that misconfigurations of a widely used web tool have led to the leaking of tens of millions of data records.
Microsoft’s Power Apps, a popular development platform, allows organisations to quickly create web apps, replete with public facing websites and related backend data management. A lot of governments have used Power Apps to swiftly stand up covid-19 contact tracing interfaces, for instance.
However, incorrect configurations of the product can leave large troves of data publicly exposed to the web — which is exactly what has been happening.
Researchers with cybersecurity firm UpGuard recently discovered that as many as 47 different entities — including governments, large companies, and Microsoft itself — had misconfigured their Power Apps to leave data exposed.
The list includes some very large institutions, including the state governments of Maryland and Indiana and public agencies for New York City, such as the MTA. Large private companies, including American Airlines and transportation and logistics firm J.B. Hunt, have also suffered leaks.
UpGuard researchers write that the troves of leaked data has included a lot of sensitive stuff, including “personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses.”
According to researchers, Microsoft itself apparently misconfigured a number of its own Power Apps databases, leaving large amounts of their records exposed. One of those apparently included a “collection of 332,000 email addresses and employee IDs used for Microsoft’s global payroll services,” researchers write.
In June, UpGuard reached out to Microsoft’s Security Resource Centre to submit a vulnerability report, alerting them to the widespread issue. Altogether, 38 million records were apparently exposed as a result of the leaks researchers observed.
UpGuard ultimately concluded that Microsoft hasn’t publicized this security issue enough, and that more should have been done to alert customers to the dangers of misconfiguration. Researchers write:
The number of accounts exposing sensitive information…indicates that the risk of this feature– the likelihood and impact of its misconfiguration– has not been adequately appreciated. On one hand, the product documentation accurately describes what happens if an app is configured in this way. On the other hand, empirical evidence suggests a warning in the technical documentation is not sufficient to avoid the serious consequences of misconfiguring OData list feeds for Power Apps portals.
Following UpGuard’s disclosures, Microsoft has since shifted permissions and default settings related to Power Apps to make the product more secure.