A configuration issue in Microsoft Power Apps resulted in a massive data breach, exposing the sensitive information of millions of users. An analysis from information security firm UpGuard revealed that over 38 million records from 47 different government and private entities that use Microsoft Power Apps portals were accidentally left exposed online. The incident represents the severe risks posed by third-party data breaches.
What is Microsoft Power Apps?
Microsoft Power Apps is a suite of cloud-hosted applications and services that allow businesses to develop custom apps as per their business needs. Apps built using Power Apps help companies to transform their manual business operations into digital and automated processes. Power Apps enable OData (Open Data Protocol) APIs to retrieve data from Power Apps.
A New Vector of Data Leak
As per UpGuard, Power Apps’ product documentation mentions the conditions under which OData APIs can be made accessible to the public and its marketing page lists “the ability to access data either anonymously or through commercial authentication.”
The exposed information includes names, email addresses, other personal data for COVID-19 contact tracing, social security numbers, vaccination appointments, and employee IDs. Entities and government bodies that suffered in the security incident include Indiana, Maryland, New York City, Ford, J.B. Hunt, Microsoft, and American Airlines.
“First, we identified the addresses of Power Apps portals. Power Apps portals are assigned a subdomain of the site ‘powerappsportals.com,’ so using common subdomain enumeration techniques generated a list of customer portals. We also discovered two other primary domains used for similar Microsoft products with the same OData configuration options: powerappsportals.us, which appears to be for U.S. governmental use, and microsoftcrmportals.com, which is for a deprecated version of the product line,” UpGuard said.
Microsoft’s Response
Microsoft is notifying the affected entities and cloud customers about the security incident. The tech giant also released a tool – Portal Checker – for checking Power Apps portals and initiated changes to the product for better data security.
“More importantly, newly created Power Apps portals will have table permissions enabled by default. Tables configurations can still be changed to allow for anonymous access but defaulting to permissions enabled will greatly reduce the risk of future misconfiguration,” Microsoft said.
What Experts Say…
Speaking exclusively with CISO MAG, Ilia Sotnikov, VP of User Experience & Security Strategist at Netwrix, said, “This is a great example of how UI design decisions can have an impact on the decisions users make. The anonymous access enabled in Power Apps results from two settings in different tabs in a configuration dialog box. If you enable one and skip the other, you allow everyone on the internet to access your table contents. Vendors should invest in user experience (UX) research and usability testing to minimize the risk of such issues for their customers. This news should hopefully lead to both vendors and companies think more about the balance between time to market and security of their solutions.”
