Microsoft Power Apps misconfiguration exposes data for 38 million records

The leaked data included personal information for COVID-19 contact tracing and vaccination appointments, job applicants’ social security numbers, employee IDs, names and email addresses.

Picture: Microsoft

A lack of proper security configuration with Microsoft’s Power Apps led to the data exposure of some 38 million records, according to security firm UpGuard. In a report on Monday, UpGuard said the low-code developer platform’s misconfiguration revealed information such as COVID-19 contact tracing, vaccination appointments, social security numbers of candidates, employee IDs and millions of names and email addresses.

Among the organizations whose data was exposed were government agencies in Indiana, Maryland and New York, as well as private companies such as American Airlines, JB Hunt and even Microsoft itself.

SEE: Business Leader as Developer: The Rise of No-Code and Low-Code Software (Free PDF) (TechRepublic)

Must-Have Developer Content

Microsoft Power Apps is a low-code development tool designed to help people with little programming experience build web and mobile apps for their organizations. As part of the process, Microsoft allows customers to configure Power Apps portals as public websites to give internal and external users secure access to required data. And therein lies the crux of the security problem.

To authorize data access, Power Apps uses an Open Data Protocol (OData) API. The API retrieves data from Power Apps lists, which pulls data from tables in a database. However, access to data tables had been set to public by default. To control who can retrieve data, customers were expected to actively configure and enable a table permissions setting. And apparently many did not, thus allowing any anonymous user free access to the data.

As Microsoft explains in a white paper on lists in Power Apps: “To secure a list, you must configure table permissions for the table for which the records are displayed and also set the boolean value Enable table permissions to list record to true.” The document also warns: “Be careful when enabling OData feeds without table permissions for sensitive information. The OData feed can be accessed anonymously and without permission checking if Enable table permissions is disabled.”

Certainly, misconfigurations and user errors are a common cause of security issues. But as vendors push low-code and no-code development products for non-technical customers, the chance of errors increases. This is especially true as organizations increasingly turn to the cloud to configure applications and access data.

“The cloud rush has exposed many organizations’ inexperience with different cloud platforms and the risks associated with their default configurations,” said Chris Clements, vice president of Cerberus Sentinel Solutions Architecture. “Developing in a public cloud can have benefits in terms of efficiency and scalability, but it also often removes the ‘safety net’ of development performed inside internal networks protected by outside access through the firewall. – perimeter fire.”

SEE: An overview of Microsoft’s Power Platform Process Advisor (TechRepublic)

Following its initial investigation beginning May 24, 2021, UpGuard said it submitted a vulnerability report to the Microsoft Security Resource Center a month later on June 24. The report contained the steps needed to identify OData feeds that allowed anonymous access to list data and URLs. for accounts that exposed sensitive data.

In response, the case was closed by Microsoft on June 29, with a company analyst telling UpGuard that it had “determined that this behavior was considered intentional.” After further back and forth between UpGuard and Microsoft, some of the affected organizations were notified of the security issue. Ultimately, Microsoft made changes to Power Apps portals so that table permissions are now enabled by default. The company also launched a tool to help Power Apps customers check their permission settings.

A Microsoft spokesperson said that only a small subset of customers have configured the portal as described in UpGuard’s report, and that Microsoft is working closely with those customers to ensure they are using the settings. appropriate confidentiality. The spokesperson added that customers are notified of the availability of the public stream when discovered so they can review and correct if necessary. Additionally, Microsoft’s main portal designer, Design Studio, uses strong privacy settings by default, according to the company, which said it is making sure that alternative design tools use strong privacy settings by default. similar strong parameters.

“While we understand (and accept) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and should therefore go in the same workflow as vulnerabilities,” UpGuard said in its report. “It’s a better resolution to change the product in response to observed user behaviors than to label the systemic loss of data privacy as end-user misconfiguration, allowing the problem to persist and exposing the end users at the cybersecurity risk of a data breach.”

Also see

Rosemary C. Kearney