38 million user data exposed by Microsoft Power Apps

Photos VDB / Shutterstock.com

Microsoft Power Apps The portal service is designed to facilitate the development of web or mobile applications. Unfortunately, due to an issue with the default security setting, the data of 38 million users was publicly available when it shouldn’t have been.

What happened to Microsoft Power Apps?

Essentially, the Microsoft Power Apps platform by default made data accessible to the public instead of keeping data private by default, as discovered by Upguard and reported by Wired. Unfortunately, that meant anyone looking to quickly set up a web application with these APIs would have to manually enable security, rather than the other way around.

“The UpGuard research team can now disclose multiple data breaches resulting from Microsoft Power Apps portals configured to allow public access – a new vector for data exposure,” Upguard said in a statement. blog post.

Microsoft Power applications are used by a wide variety of businesses and government agencies. Because it’s quick and easy to launch a website or app, it has been used quite frequently for COVID-19 tools like contact tracing, vaccine registration forms, and more. The platform was also popular for storing job application portals and employee databases.

These tools could contain sensitive user data, and an overwhelming number of them had not activated security measures. This means that data such as phone numbers, home addresses, social security numbers and Covid-19 vaccination status have been exposed to anyone looking for them.

Some examples of affected organizations are American Airlines, Ford, JB Hunt, Maryland Department of Health, New York City Municipal Transportation Authority, and New York City Public Schools.

Is there a fix?

Fortunately, the situation is already addressed by Microsoft. The company has now ensured that the default settings do not allow API data and other information to be publicly available. Instead, developers will have to enable this setting manually, which should have been the case from day one.

There will always be data that developers want to make public, so they’ll have to go through the extra step of making the selected data available rather than going the extra mile to hide it. This is definitely a better way to go for people using these web applications as it gives them the confidence that their private data is kept private. However, the damage is done in this case. We’ll have to wait for the fallout to see how bad it is.

Rosemary C. Kearney