Microsoft Power Apps misconfigurations expose 38 million records

Microsoft Power Apps misconfigurations expose 38 million records

Image:
Microsoft Power Apps misconfigurations expose 38 million records

American Airlines, J.B. Hunt, and Ford were all affected

Multiple data leaks took place as a result of weak default configurations on Microsoft Power Apps portals, leading to more than a thousand web apps accessible to anyone who found them.

According to researchers at UpGuard, the leaks exposed 38 million records online, including data from a number of job application portals, employee databases, Covid-19 contact tracing platforms and vaccination sign-ups.

It affected a total of 47 organisations, exposing a range of sensitive information - from peoples' phone numbers and home addresses to US social security numbers and Covid-19 vaccination status.

The exposed data was stored in Microsoft's Power Apps portal service, which offers customers a variety of low-code tools to design apps, as well as public and private web sites. The platform manages internal databases for apps and websites, as well as providing ready-made APIs to interact with that data.

UpGuard researchers first discovered the issue involving the ODdata API for a Power Apps portal on 24th May and reached out to Microsoft on 24th June. Forty-seven entities were notified about the data exposure.

UpGuard found that when enabling APIs, the platform defaulted all data types to public when some information should have been made private.

Because enabling privacy settings was a manual process, many customers misconfigured their apps by leaving the insecure settings as default.

According to UpGuard, Microsoft listed the implications of those settings, but did not make them very clear.

'The number of accounts exposing sensitive information, however, indicates that the risk of this feature - the likelihood and impact of its misconfiguration - has not been adequately appreciated. On one hand, the product documentation accurately describes what happens if an app is configured in this way. On the other hand, empirical evidence suggests a warning in the technical documentation is not sufficient to avoid the serious consequences of misconfiguring OData list feeds for Power Apps portals.'

The incident affected major organisations and private companies, including American Airlines, logistics firm J.B. Hunt, Ford, the New York City Municipal Transportation Authority, the Maryland Department of Health, and New York City public schools.

Microsoft itself exposed some databases in its own Power Apps portals, including a Customer Insights portal, a Global Payroll Services platform, and two Business Tools Support portals.

Microsoft has since changed its default settings for Power Apps and is also providing a tool to help users diagnose their security.

Researchers say they found no evidence to suggest that any of the data being compromised.

The misconfiguration of cloud-based databases, which could hackers to steal huge quantities of sensitive data, has been a serious issue over the years.

Earlier this year, Nissan North America was hit with a data leak after misconfiguring one of its Bitbucket Git servers. The exposed data included source code of Nissan mobile apps and diagnostics tools.

Last year, researchers found an unsecured database stored on an AWS S3 bucket, which was exposing sensitive information on thousands of British consultancy firms and working professionals.