It really is a powerful tool, that allows you to build apps, even if you’re not well-skilled in programming. Even though Microsoft regularly updates Power Apps with new features and capabilities, a new report might be cause for concern for organizations. It would appear that over 38 million records have leaked online because of people using default configurations in Microsoft Power Apps portals. The incident affected major companies such as American Airlines, Ford, the transportation and logistics company J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. And while the data exposures have been addressed, they show how one bad configuration setting in a popular platform can have far-reaching consequences.

Contact-tracing information exposed over the internet

The data that was exposed was all stored in Microsoft’s Power Apps portal service, which is a development platform that makes it easy to create web or mobile apps for external use. If you need to spin up a vaccine appointment sign-up site quickly during, say, a pandemic, Power Apps portals can generate both the public-facing site and the data management backend. Back in May, researchers from the security firm Upguard started investigating a large number of Power Apps portals that publicly exposed data that should have been private. Among these were some Power Apps that Microsoft made for its own purposes. However, none of the data is known to have been compromised, but the finding is still an important one, as it reveals an oversight in the design of Power Apps portals that has since been fixed. Besides managing internal databases and offering a foundation to develop apps, the Power Apps platform also provides ready-made application programming interfaces to interact with that data.

Misconfiguration leads to vulnerability

The researchers from Upguard realized that when enabling these APIs, the platform defaulted to making the corresponding data publicly accessible. Enabling privacy settings was a manual process and, as a result, many customers misconfigured their apps by leaving the insecure default. Microsoft itself exposed a number of databases in its own Power Apps portals, including an old platform called Global Payroll Services, two Business Tools Support portals, and a Customer Insights portal. The misconfiguration of cloud-based databases has been a serious issue over the years, exposing huge quantities of data to inappropriate access or theft. The Upguard researchers couldn’t get to every entity, because there were too many, so they also disclosed the findings to Microsoft.

Users can check their portal settings with Microsoft’s tool

At the beginning of August, Microsoft announced that Power Apps portals will now default to storing API data and other information privately. The Redmond company also released a tool customers can use to check their portal settings. But, between Microsoft’s fixes and UpGuard’s own notifications, experts now say that the vast majority of the exposed portals, and all of the most sensitive ones, are now private. What’s your take on this whole situation? Share your thoughts with us in the comments section below.

Name * Email * Commenting as . Not you? Save information for future comments
Comment

Δ