Microsoft Power Apps Data Exposure: Prioritize Sensitive Data with Secure Configuration Settings

Poor security configurations are one of the most common loopholes that hackers seek to exploit. The wrong configuration setting in a popular cloud platform can have far-reaching consequences, allowing threat actors to access an abundance of valuable personal information and use it to their advantage.

Over the past 12-18 months, the COVID-19 pandemic has driven the rapid adoption of cloud applications across the world. According to Cloudwards, 94% of all businesses are now using cloud services. As organizations have rushed to adopt cloud platforms, the expertise on these platforms has fallen behind, often leading to misconfiguration and leading to many cases of data exposure that have been observed.

In a recent incident, approximately 38 million records were exposed online after a default setting in Microsoft’s Power Apps portal service left them publicly available. Personally Identifiable Information (PII), such as social security numbers, home addresses and COVID-19 vaccination statuses were visible to anyone with access to the platform. The incident underscores the importance of the secure configuration by default, and that even in low-code environments such as Microsoft Power Apps, security should still be a consideration for organizations leveraging the platform.

Organizations that rely on cloud services – in this case a low-code platform – should be aware of the shared responsibility model; which means that the customer and the cloud provider each take responsibility for certain security elements. Where these lines are drawn varies by cloud provider, as well as by service, and is a critical consideration in leveraging any cloud platform.

Vulnerability versus misconfiguration

This event also presents an interesting case study for security outcomes. Upguard – who discovered the exhibit – agrees with Microsoft that this issue was not strictly a software vulnerability. Microsoft’s documentation even included a disclaimer emphasizing the risks of anonymous public access if settings are not configured appropriately. To some extent, the onus is on the cloud service user to fully understand the consequences of their chosen configuration settings – back to the shared responsibility model.

That said, Microsoft Power Apps has now been updated so that it doesn’t allow anonymous access to data tables by default, and although platform users can still choose to change this setting, they cannot in fact ignore a parameter which could have many consequences.

Monitoring and cloud

While no customer data has been compromised (to our knowledge), the discovery underscored the importance of approaching cloud services with the same level of diligence as you would for internally hosted services. Just because it’s in the cloud doesn’t mean it’s inherently secure.

Threats to the service have yet to be modeled and understood. The main cause for concern with this case is that it left large amounts of personally identifiable material on access, creating an opportunity for a wide range of potential attack methods: fraud, account hacking, phishing and blackmail are just a few of the other crimes made possible for threat actors by this type of exposed data.

There needs to be greater awareness of the dangers of misconfigurations across the playing field or organizations may face irreversible repercussions. Security teams need visibility into all systems, whether on-premises or in the cloud, so that they can maintain a robust security posture.

One of the challenges of cloud platforms is that logs are not always accessible to users of those platforms, and when available they can sometimes be difficult to obtain or are only available for a considerable time. after the event of interest. When adopting cloud solutions, especially if those solutions host sensitive data, organizations should think about how they should monitor these solutions and whether the appropriate level of visibility can be achieved.

Attackers are constantly on the hunt for the fruit at their fingertips – after all, why try to compromise on-premises systems to gain authenticated access, when valuable data is available anonymously from a cloud platform.

With the breadth of platforms in use today, you just can’t be an expert in all of them, but what you can do is stop and think about the risks that data can pose. your application and determine if the configuration is appropriate for that dataset. Beyond that, monitoring and review is the safety net for detecting any accidental misconfiguration before a malicious actor does.

Rosemary C. Kearney