38 million records exposed by misconfigured Microsoft Power applications. Redmond’s advice? RTFM • The Register

Forty-seven government entities and privacy companies, including Microsoft, exposed 38 million sensitive data records online by misconfiguring Windows giant Power Apps, a low-code service that promises an easy way to create professional applications.

Security business UpGuard said that in May, one of its analysts discovered that the OData API for a Power Apps portal offered anonymously accessible database records that included personal information. This led the security store to look at other Power Apps portals, and its researchers found over a thousand apps configured to make data available to anyone who asked for it.

Some of the entities identified by UpGuard include: state and municipal government agencies in Indiana, Maryland, and New York City, and private companies like American Airlines, Ford, JB Hunt, and Microsoft. There is no indication so far that the information has been misused. It was simply available to the public until UpGuard’s disclosures prompted those affected to respond.

Power Apps enables those who are not professional coders to build custom business applications that interact with data from Microsoft Dataverse or other online and on-premises data sources such as SharePoint, Microsoft 365, Dynamics 365, SQL Server, etc. And through Power Apps Portals, Microsoft customers can create a public website to make their application data available.

These portal websites retrieve data from Power Apps through Open Data Protocol (OData) APIs. API uses Power Apps Lists, a way to display a list of database records. A list is essentially a query made on a specific database table, combined with additional parameters and attributes.

As Microsoft explains in its documentation, “To secure a list, you must configure the table permissions for the table for which the records are displayed and also set the Boolean value Enable table permissions on the list record to” true ”.

But as the UpGuard researchers found, many organizations did not and it made their Power Apps portal listings accessible to everyone. On June 24, UpGuard reported its findings to Microsoft.

“Examples of sensitive data exposed through the OData APIs were three Power Apps portals used by US government entities to track COVID-19 tracing or vaccination and a portal with candidate data, including social security numbers.” UpGuard said in a statement. blog post. “We mentioned that these instances were examples of a larger model, with a significant number of Power Apps portals configured to allow anonymous access to lists and expose PIIs accordingly.”

Microsoft has reviewed the report and concluded that its software’s propensity to publish data unprotected is not a security breach.

“On Tuesday, June 29, the case was closed and the Microsoft analyst informed us that they had ‘determined that this behavior was considered intentional,'” UpGuard explained.

As Apple co-founder Steve Jobs might have said, the forty-seven entities that have left their data in plain sight should “just avoid keeping it that way,” or in this case, should just avoid it. to retain list data controls.

In an e-mail to The register, a Microsoft spokesperson offered a variation on this theme: “Our products provide customers with the flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products to best meet their privacy needs. “

Microsoft has nevertheless taken steps to lower the security bar to a level more suitable for low-code apps by modifying the Power Apps portals to enable table permissions by default rather than assuming the user will opt for security. The company has also changed its documentation page which tips previously presented in purple note boxes by adding a pink caution warning: “Be careful when enabling OData feeds without table permissions for sensitive information.”

How dare you point out our flaws!

UpGuard’s findings were not universally welcomed: acknowledging last week that “the state’s COVID-19 online contact tracing survey data was poorly viewed,” Tracy Barnes, director of information for the state of Indiana, suggested that the data exposure followed up from UpGuard taking advantage.

“The company that accessed the data is a company that intentionally searches for software vulnerabilities and then looks for business.” noted Barnes.

UpGuard, in its article, disputed Barnes’ insinuation and challenged the Indiana Department of Health to release the agency’s recording of the conference call in which UpGuard discussed its findings. with state officials.

“In five years of sending data breach notifications, UpGuard has never approached Indiana or any other company notified of a business breach, and Mr. Barnes’ claim has no basis,” said UpGuard.

After its initial disclosure to Microsoft, UpGuard discovered that several of Microsoft’s Power Apps portal sites were exposing data. The global payroll services portal, used to handle payroll matters until its depreciation last year, had 332,000 contacts exposed, with their Microsoft email address, full name, phone number, user ID employee and other data fields. The situation was similar for two portals related to business tools support, three mixed reality portals and an Azure China portal operated by 21Vianet.

It is a better resolution to change the product in response to observed user behaviors than to label the systemic loss of data privacy a misconfiguration of the end user.

The register asked Microsoft to clarify their email statement letting us know if the company was aware of any misuse of any of their exposed data. Microsoft declined to comment further.

UpGuard said it understands Microsoft’s position that this is not strictly speaking a security vulnerability, but supports code changes that minimize these kinds of issues.

“It is a better resolution to change the product in response to observed user behaviors than to label the systemic loss of data privacy as a misconfiguration of the end user, allowing the problem to persist and exposing end users to the problem. cybersecurity risk of a data breach, ”the security biz said.

In a publication On LinkedIn, Jukka Niiranen, co-founder of Forward Forever, a Power Platform consultancy, offered a similar assessment.

“Whenever I introduce clients to the different types of types of Power Apps, I try to get the message across that portals are not something you want to try to build with a ‘citizen developer’ skill set,” Niiranen said. “The world of complexity behind the product is scary even for many xRM veterans like myself.” ®

Rosemary C. Kearney