Rampant misconfigurations in Microsoft Power Apps exposed 38 million records

Microsoft makes OData APIs privacy-preserving by default after revelations

More than 1,000 web applications have collectively leaked millions of records containing sensitive personal data because of misconfigurations in Microsoft Power Apps, a cybersecurity firm has revealed.

Among other data, 38 million publicly viewable records involving Covid-19 contact tracing information, social security numbers, and names, phone numbers, and email addresses, according to a write-up published by UpGuard yesterday (August 23).

UpGuard says it alerted 47 organizations that they had inadvertently exposed sensitive personal data online, including Ford, American Airlines, NYC Schools, transportation and logistics company J.B. Hunt, and – as reported by The Daily Swig – the Indiana Department of Health.

YOU MIGHT ALSO LIKE US healthcare org sends data breach warning to 1.4m patients following ransomware attack

The infosec outfit later discovered that some government bodies had even failed to detect the privacy blunders during security reviews of their web applications.

Even Microsoft misconfigured its own internal Power Apps portals, with a collection of 332,000 email addresses and employee IDs used for the company’s global payroll services exposed as a result, the most egregious example discovered by UpGuard.

Public by default

Power Apps is a ‘low-code’ tool used to build web applications through which customers, employees, or other groups of citizens can submit and access data.

The source of the misconfigurations stemmed from the fact that OData (Open Data Protocol) APIs used for retrieving data from Power Apps lists for display on portals were not privacy-protecting by default.

Soon-to-be deprecated documentation for Power Apps instructs developers that, if they enable the OData feed, they must also enable ‘table permissions’ in order to make the data private.

If they don’t, according to UpGuard, “anonymous users can access list data freely”.

In response to the findings, Microsoft is enabling table permissions by default. In addition, Redmond has released a Portal Checker tool for detecting lists that allow anonymous access.

Constructive criticisms

UpGuard applauded these changes but also offered some constructive criticisms.

After notifying Microsoft of its findings on June 24 and liaising further with its security team, Upguard said that Microsoft then declared the case closed on June 29 having “determined that this behavior is considered to be by design”.

Microsoft only later took remedial actions after being appraised of the most egregious data exposures, said Upguard.

Catch up on the latest data breach news

“While we understand (and agree with) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities,” said the infosec firm.

It also recommended that Microsoft and fellow software-as-a-service (SaaS) operators “improve end user visibility of access logs”, which are “crucial to executing incident response plans”.

Organizations more generally should have a “designated privacy contact on an easily searchable web page”, added Upguard, which said it struggled to reach an appropriate employee who could remediate exposed data in some of the cases it identified.

“Further, it must be an email address rather than a form,” said the firm. “Researchers sometimes need evidence of their exact message to affected entities in order to refute baseless smears, and email messages provide a useful record for those cases.”

The Daily Swig has invited Microsoft to comment – we will update the article if and when they do so.

RELATED Whistleblowing security researchers deny ‘inappropriate access’ to Indiana Covid-19 survey data