Misconfigured Microsoft Power Apps spill sensitive data

At least 38 million records from hundreds of exposed portals

Jeremy Kirk (jeremy_kirk) •
August 24, 2021

At least 38 million records have been disclosed by hundreds of online portals that have been unintentionally misconfigured by organizations using Power Apps, a Microsoft service for quickly launching web applications.

See also: A Guide to No Password Anywhere

Some of the companies and organizations that have disclosed data include American Airlines, Ford Motor Co., JB Hunt, Maryland Department of Health, Indiana State, New York City Municipal Transportation Authority, New York Schools and even Microsoft, which actually misconfigured several of its own portals, according to security firm UpGuard.

The data exposed included personal information relating to vaccine appointments, drug test dates, social security numbers, COVID-19 tests, employment, and payroll information. Accessing sensitive data involved a trivial change to the URL of a Power Apps portal.

Microsoft has now changed a default setting in Power Apps to make using the service more secure and less likely to inadvertently expose data. Prior to the change, the company warned in its Power Apps documentation of the danger of unsecured setups, but this apparently went unnoticed.

The problem was discovered in June by UpGuard, which specializes in data risk assessment. Since then, UpGuard has contacted 47 affected organizations who exposed some of the most sensitive data.

When UpGuard submitted a vulnerability report on June 24, in an email response, the Microsoft Security Response Center told UpGuard that data exposure was behavior by design.

Microsoft’s response to the UpGuard vulnerability report (Source: UpGuard)

However, Microsoft has since proactively notified organizations via email that have data exposed that should be private, according to the blog. CRM tip of the day, which contains screenshots of the emails.

Microsoft was correct that the problem was technically not a vulnerability, but it had a serious impact nonetheless, said Greg Pollock, vice president of cyber research at UpGuard.

“At first I was very disappointed because I thought it was very clear that this was a configuration issue that had serious data security impacts that should be taken seriously by them.” Pollock told Information Security Media Group.

In a statement, Microsoft said, “Our products provide customers with the flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products to better meet their privacy needs. ”

Ah, the data!

Power Apps can use OData, or Open data protocol RESTful API, to display data on portals. Power Apps can be configured to require authentication to access these OData list feeds or to allow anonymous access.

OData APIs can extract data from lists, and those lists extract data from tables. Microsoft has a permissions menu for tables, but by default these were disabled. Organizations needed to put them in place, and many did not.

Microsoft has now changed that. Starting with version 9.3.7.x of the Power Apps portals, table permissions are now enforced by default for all lists, according to an August 5. assistance note. Microsoft has also released updated guidelines on safety lists and on how OData feeds work Tuesday.

As UpGuard notes in its blog post, certain types of data, such as locations to receive COVID-19 vaccines, are good for public access. But the IPPs of the vaccinated people should not be available.

This is what happened in Denton County, Texas. The county had a Power Apps portal with several OData lists exposed. One of them, called “msemr_appointmentemrset”, which contained 632,171 records, contained employee names and identifiers, email addresses, phone numbers, dates of birth, types of vaccinations and dates. and meeting times.

Another type of list called the “contactVaccinationSet” contained 400,091 records with full names and types of vaccination. Another list called “contactset” contained 253,844 records with full names and email addresses. UpGuard called the county on July 7 and the data was secured the same day.

The right movement … finally

Why so many big name companies missed the fact that Microsoft’s default settings posed a danger is not entirely clear. But Pollock assumes Power Apps was so easy to use that people probably just launched apps without fully reading the documentation, which cautioned against insecure setups.

“If no one reported a problem, then no one ever checked to see if there was a problem,” says Pollock.

Even Microsoft itself set up several Power Apps portals that weren’t secure, including its Global Payroll Services Portal, which answered payroll questions from contractors and Microsoft employees. This portal exposed 332,000 records with full names, personal phone numbers, email addresses and employee IDs.

Microsoft exposed data from its own Power Apps payroll service. (Source: UpGuard)

In another example, Microsoft had an insecure portal used to manage customer engagements and schedules, the UpGuard blog notes. This exposed 277,400 records with full names and email addresses, and some of the listings on display described programs these people were involved in.

UpGuard has made an effort to reach out to organizations that have had some of the more serious exposures, but there are likely still people affected and unaware. Pollock is hopeful that other organizations will check their settings now that the issue has received widespread attention.

Pollock says the Power Apps situation dates back to when Amazon S3 buckets were typically left open on the web, leading to data leaks. Amazon ultimately changed the default settings to make these kinds of configuration errors less common, he says.

In this case, Microsoft “finally did the right thing,” Pollock says. “I think they could have done it earlier.”

Rosemary C. Kearney