According to a report by cybersecurity firm UpGuard, several users of Microsoft’s Power Apps business application solution, including Microsoft itself, have unintentionally exposed 38 million records through portals that allow public access.
The report prompted changes from Microsoft, UpGuard said, and a Microsoft partner told CRN that the incident reminded solution providers of the “balance” between information sharing and security and l importance of identity and data management even after the creation of requests. available to users.
UpGuard – which is headquartered in Sydney; Hobart, Australia; and Mountain View, Calif .– reported Monday that the Power Apps portals of government agencies and private companies were exposing data, including names, phone numbers, addresses and, in one case, data that looked like phone numbers. social Security. In another instance, the New York City Department of Education appears to have exposed student email addresses.
The report acknowledged that after UpGuard contacted Microsoft in June about the “sensitive data” exposures, the tech giant “released a tool to check Power Apps portals and plan for product changes so that table permissions are applied by default “.
“To diagnose configuration issues, Portal Checker can be used to detect lists that allow anonymous access,” according to the report. “Most importantly, newly created Power Apps portals will have table permissions enabled by default. Table configurations can always be changed to allow anonymous access, but enabling permissions by default will greatly reduce the risk of future misconfiguration.
Microsoft did “its best” in response to what UpGuard found, according to the report.
“It is a better resolution to change the product in response to observed user behaviors than to label the systemic loss of data privacy as a misconfiguration of the end user, allowing the problem to persist and exposing end users to the problem. cybersecurity risk of a data breach, ”according to the report.
The report comes at a time when the security of Microsoft’s applications is under closer scrutiny. Earlier this month, threat researcher Huntress warned Managed Service Providers (MSPs) of on-premises Microsoft Exchange Server ProxyShell vulnerabilities that could be exploited by cybercriminals. And Microsoft has released several reports on a Windows print spooler vulnerability known as PrintNightmare.
Protect users from themselves
In an email to CRN US, a Microsoft spokesperson said customers are made aware of the availability of public feeds when they are discovered so they can review and correct if public availability was unintentional. . The spokesperson said that only a small subset of customers have configured the portal as described in the UpGuard report and that Microsoft’s leading portal designer, Design Studio, uses strong privacy settings by default.
“Our products provide customers with flexibility and privacy features to design scalable solutions that meet a wide variety of needs,” said the spokesperson. “We take security and privacy seriously, and we encourage our customers to use best practices when configuring products to best meet their privacy needs. “
Greg Pollock, vice president of cyber research at UpGuard, told CRN US in an interview that the data exhibits show the importance of setting triggers for abnormal user behavior and the potential danger of the philosophy. low-code, no-code putting data science capabilities in the hands of amateurs.
His advice is to “slow down and budget well to master the technologies involved”.
“I guess a lot of these portals that were exposing data was because the person using them and setting up the dataflow API was not an expert,” Pollock said. “I’m going to assume they haven’t read the documentation.”
“You want to hire someone who knows things inside out,” he continued. “The same applies even more to other technologies, whether in the Amazon cloud, the same applies. You need someone who knows how all access control rules work because it can get really complicated. Managing identities and access in any cloud environment is quite complicated. You don’t want to throw it at someone and say, “I’ll find out on the fly.” “
The exposure of information held by companies reminds solution providers to check what customer information is exposed by tools connected to the Internet. Several partner program portals have been observed exposing data, Pollock said.
“There were a number of prospect databases related to software sales but also to other businesses,” he said. “You not only get the contact’s name and email address, maybe their phone number, but a few notes about it as well. It is the context that makes this information much riskier, if it were to be exposed, not only for the contact but also for your business. Customer lists are valuable information. You don’t want your competition to know who your customers are or to know anything about your sales movement, really.
Examples of data exposure uncovered by UpGuard range from a portal by logistics company JB Hunt exposing “a number that matches the format of a US Social Security number and contains numbers that were issued as SSNs.” to the New York City Department of Education exposing “email addresses for the ‘nycstudents.net’ email domain – probably the email addresses assigned by the school to students, although it is difficult to verify the identity of minors with publicly available data.
The Maryland Department of Health exposed “what appeared to be COVID-19 testing appointments containing the date, time and location of the appointment, as well as the reference ID of the contact associated with the appointment. you, ”according to the report.
A global Microsoft payroll services portal used to manage payroll questions, email addresses, and employee IDs for exposed employees. A Microsoft list “included metadata about employee questions, such as the ticket title – examples:” Bad salary was deposited into my account “and” Payroll January 2017 – Clarification on taxable amount – status of ticket and the name of the person who worked there, ”according to the report.
And the mixed reality-related Microsoft portals had lists “containing 39,210 records for mostly non-Microsoft users, some of whom had work email accounts and some were from personal email providers like Gmail or universities.” The data present was the user’s full name, email address and the name of their Microsoft liaison, ”according to the report.