Microsoft Power Apps misconfiguration exposes data from 38 million records – Natural Self Esteem

The leaked data included personal information for COVID-19 contact tracing and vaccination appointments, social security numbers for job applicants, employee ID cards, names and email addresses.

Image: Microsoft

A lack of proper security configuration with Microsoft’s Power Apps has led to the disclosure of data from about 38 million records, according to security firm UpGuard. In a report published Monday, UpGuard said the low-code development platform’s misconfiguration exposed information such as COVID-19 contact tracing, vaccination dates, social security numbers for job applicants, employee ID cards, and millions of names and email addresses.

Organizations whose data was exposed included government agencies in Indiana, Maryland, and New York City, as well as private companies such as American Airlines, JB Hunt, and even Microsoft itself.

SEE: Business Leaders as Developers: The Rise of No-Code and Low-Code Software (Free PDF) (TechRepublic)

Microsoft Power Apps is a low-code development tool designed to help people with little coding experience create web and mobile apps for their organizations. As part of the process, Microsoft enables customers to set up Power Apps portals as public websites to provide internal and external users with secure access to the data they need. And therein lies the heart of the security problem.

To provide access to the data, Power Apps uses an OData (Open Data Protocol) API. The API retrieves data from Power Apps lists, which retrieve the data from tables in a database. However, access to the data tables was set to public by default. To control who can retrieve the data, customers should actively configure and enable a table permissions setting. And apparently many didn’t do this, allowing any anonymous user free access to the data.

As Microsoft explains in a technical document about lists in Power Apps: “To secure a list, you must configure table permissions on the table for which records are displayed and also set the Boolean value ‘Enable Table Permissions’ for the list record to ‘true.’ The document also warns: “Be careful when enabling OData feeds without table permissions for sensitive information. The OData feed is accessible anonymously and without permission checking if “Enable Table Permissions” is disabled.”

Certainly misconfigurations and user errors are a common cause of security problems. However, as vendors push low-code and no-code development products for non-technical customers, the likelihood of errors increases. This is especially true as organizations increasingly turn to the cloud to deploy applications and data access.

“The rush to the cloud has exposed the inexperience of many organizations with the various cloud platforms and the risks of their default configurations,” said Chris Clements, VP of Cerberus Sentinel Solutions Architecture. “Development in a public cloud can have efficiency and scale benefits, but it also often removes the ‘safety net’ of development performed within internal networks protected from outside access by the perimeter firewall.”

SEE: An inside look at Microsoft’s Power Platform Process Advisor (TechRepublic)

Following its initial investigation, which began on May 24, 2021, UpGuard announced that it submitted a vulnerability report to the Microsoft Security Resource Center a month later, on June 24. The report included the steps needed to identify OData feeds that allowed anonymous access to list data and URLs for accounts that disclosed sensitive data.

In response, Microsoft closed the case on June 29, with an analyst at the company telling UpGuard that it “determined that this behavior was by design.” After further back and forth between UpGuard and Microsoft, some of the affected organizations were notified of the security issue. Finally, Microsoft made changes to Power Apps portals so table permissions are now enabled by default. The company also rolled out a tool that Power Apps customers can use to review their permissions settings.

A Microsoft spokesman said that only a small portion of customers have configured the portal as described in UpGuard’s report and that Microsoft has worked closely with those customers to ensure they are using the correct privacy settings. The spokesperson added that customers will be notified of the availability of public feeds if they’re spotted, so they can review and fix them if necessary. Additionally, Microsoft’s primary portal designer, Design Studio, uses strong privacy settings by default, according to the company, which says it is in the process of ensuring alternative designer tools use similarly strong settings by default.

“While we understand (and agree with) Microsoft’s position that the issue here is not necessarily a software vulnerability, it is a platform issue that requires code changes to the product and should therefore go in the same workflow as vulnerabilities,” UpGuard said in his report. “Changing the product in response to observed user behavior is a better solution than naming the systemic loss of data confidentiality as an end-user misconfiguration, thereby perpetuating the problem and exposing end-users to the cybersecurity risk of a data breach.”

Leave a Comment