Microsoft Power Apps misconfiguration exposes data from 38 million records
The leaked data included personal information for COVID-19 contact tracing and vaccination appointments, social security numbers of job applicants, employee IDs, names and email addresses.
A lack of proper security configuration with Microsoft’s Power Apps has led to data exposure of some 38 million records, according to security firm UpGuard. In a report published on Monday, UpGuard said the misconfiguration of the low-code development platform exposed information such as COVID-19 contact tracing, vaccination appointments, social security numbers of job applicants, employee IDs and millions of names and email addresses.
Among the organizations whose data was exposed included government agencies in Indiana, Maryland and New York, as well as private companies such as American Airlines, JB Hunt and even Microsoft itself.
SEE: Business Owner as Developer: The Rise of Codeless and Low-Code Software (Free PDF) (TechRepublic)
Microsoft Power Apps is a low-code development tool designed to help people with little programming experience build web and mobile applications for their organizations. As part of the process, Microsoft allows customers to configure Power Apps Portals as public websites to give internal and external users secure access to required data. And this is where the crux of the security problem lies.
To allow data access, Power Apps uses a OData (Open Data Protocol) API. The API retrieves data from Power Apps lists, which extract data from tables in a database. However, access to data tables had been set to public by default. To control who can retrieve data, clients were expected to actively configure and enable a table permissions setting. And apparently many have failed to do so, allowing any anonymous user free access to the data.
As Microsoft explains in a technical document on lists in Power Apps: “To secure a list, you must configure the table permissions for the table for which the records are displayed and also set the Boolean value Enable table permissions on the list record to true.” The document also cautions: “Be careful when enabling OData feeds without table permissions for sensitive information.” The OData feed can be accessed anonymously and without permission checking if Enable Table Permissions is disabled.
Certainly, configuration errors and user errors are a common cause of security issues. But as vendors bring low-code, no-code development products to non-technical customers, the chances of errors increase. This is especially true as businesses increasingly turn to the cloud to configure applications and access data.
“The rush to the cloud has exposed many organizations’ inexperience with different cloud platforms and the risks associated with their default configurations,” said Chris Clements, vice president of solutions architecture at Cerberus Sentinel. “Developing in a public cloud can have advantages in terms of efficiency and scalability, but it also often removes the ‘safety net’ of development carried out inside internal networks protected by external access by the barrier. perimeter fire. “
SEE: An overview of Microsoft’s Power Platform Process Advisor (TechRepublic)
Following its initial research starting May 24, 2021, UpGuard said it submitted a vulnerability report to the Microsoft Security Resource Center a month later, on June 24. The report contained the steps necessary to identify the OData feeds that allowed anonymous access to list data and URLs. for accounts that exposed sensitive data.
In response, the case was closed by Microsoft on June 29, with a company analyst telling UpGuard that it had “determined that this behavior was considered intentional.” Following further discussions between UpGuard and Microsoft, some of the affected organizations were made aware of the security issue. Ultimately, Microsoft made changes to the Power Apps portals so that table permissions are now enabled by default. The company also launched a tool to help Power Apps customers check their permission settings.
“While we understand (and agree with) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes for the product, and should therefore go into the same workflow as vulnerabilities, ”UpGuard said in its report. “It is a better resolution to change the product in response to observed user behaviors than to label the systemic loss of data privacy as a misconfiguration of the end user, allowing the problem to persist and exposing end users to cybersecurity risk of a data breach. “