Data has not been “Exploited,” yet.
Default permission settings in Microsoft made app-building tool exposed records of 38 million users online. Leaked data includes names, email addresses, phone numbers, social security numbers, and COVID-19 vaccination appointments were made publicly accessible to over 40 companies and government agencies using the Microsoft Power apps tool. Thankfully, no proof leaked data has been exploited yet.
UpGuard, a security research team, found this problem back in May and they published a blog post recently about this leakage. In UpGuard and Wired report, the company explained how some organizations and agencies used Microsoft Power apps to get data with improper permission.
“We found one of these [apps] that was mis-configured to expose data and we thought, we’ve never heard of this. Is this a one-off thing or is this a systemic issue?” Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”
-UpGuard’s vice president of cyber research Greg Pollock to Wired.
Power apps is a Microsoft-made platform that allows users to create simple websites without formal coding knowledge. Ford, American Airlines, J.B. Hunt, and state agencies in Maryland, New York City, and Indiana are some organizations that are involved in the data breach. These organizations were using apps built using Power apps to collect various types of data, including vaccination reports.
Microsoft Power Apps is a product for making “low code”, cloud-hosted business intelligence apps. Power Apps portals are a way to create a public website to “give both internal and external users secure access to your data.” Users can create websites in the Power Apps UI with application capabilities like user authentication, forms for users to enter data, data transformation logic, storage of structured data, and APIs to retrieve that data by other applications. Portals provide a public website for interacting with those apps. Typically a business unit or polity uses a portal as an interface with a closely related audience like customers, sales partners, employees, or citizens.
Tools of Power apps allow users to quickly collect such data, but Power apps leave this information publicly accessible by default. UpGuard discovered this behavior of Power apps.
On May 24, 2021, an UpGuard analyst first discovered that the OData API for a Power Apps portal had anonymously accessible list data including personally identifiable information. The owner of that application was notified and the data was secured. That case led to the question of whether there were other portals with the same situation– the combination of configurations allowing lists to be accessed anonymously via OData feed APIs, and sensitive data collected and stored by the apps.
Microsoft is saying that this is not any vulnerability but the fault of users to handle proper configuration of permissions. We think if you are creating a tool for people with no coding knowledge, then you should make it as secure as possible. Wired said that Microsoft has changed the default permissions which were responsible for the breach.