Companies using Microsoft Power Apps portals got their records exposed

Alexandru Poloboc
by Alexandru Poloboc
News Editor
With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor, as well as TV and radio... Read more
Affiliate Disclosure
  • More than 38 million records got leaked online because of people using default configurations in Microsoft Power Apps portals.
  • This sensitive data that got exposed was all stored in Microsoft’s Power Apps portal service, according to researchers.
  • Upon enabling certain APIs, the platform defaulted to making the corresponding data publicly accessible.
  • The misconfiguration of cloud-based databases has been a serious issue over the years, exposing huge quantities of data to inappropriate access or theft.
     
microsoft powerapps

As you know, Power Apps is Microsoft’s low-code platform for organizations to quickly develop full-fledged applications, mostly for internal use, complete with a frontend and a backend.

It really is a powerful tool, that allows you to build apps, even if you’re not well-skilled in programming.

Even though Microsoft regularly updates Power Apps with new features and capabilities, a new report might be cause for concern for organizations.

It would appear that over 38 million records have leaked online because of people using default configurations in Microsoft Power Apps portals.

The incident affected major companies such as American Airlines, Ford, the transportation and logistics company J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools.

And while the data exposures have been addressed, they show how one bad configuration setting in a popular platform can have far-reaching consequences.

Contact-tracing information exposed over the internet

The data that was exposed was all stored in Microsoft’s Power Apps portal service, which is a development platform that makes it easy to create web or mobile apps for external use.

If you need to spin up a vaccine appointment sign-up site quickly during, say, a pandemic, Power Apps portals can generate both the public-facing site and the data management backend.

Back in May, researchers from the security firm Upguard started investigating a large number of Power Apps portals that publicly exposed data that should have been private.

Among these were some Power Apps that Microsoft made for its own purposes.

However, none of the data is known to have been compromised, but the finding is still an important one, as it reveals an oversight in the design of Power Apps portals that has since been fixed.

Besides managing internal databases and offering a foundation to develop apps, the Power Apps platform also provides ready-made application programming interfaces to interact with that data.

Misconfiguration leads to vulnerability

The researchers from Upguard realized that when enabling these APIs, the platform defaulted to making the corresponding data publicly accessible.

Enabling privacy settings was a manual process and, as a result, many customers misconfigured their apps by leaving the insecure default.

We found one of these that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue? Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.

Microsoft itself exposed a number of databases in its own Power Apps portals, including an old platform called Global Payroll Services, two Business Tools Support portals, and a Customer Insights portal.

The misconfiguration of cloud-based databases has been a serious issue over the years, exposing huge quantities of data to inappropriate access or theft.

Big cloud companies like Amazon Web Services, Google Cloud Platform, and Microsoft Azure have all taken steps to store customers’ data privately by default from the start and flag potential misconfigurations, but the industry didn’t prioritize the issue until fairly recently. 

The Upguard researchers couldn’t get to every entity, because there were too many, so they also disclosed the findings to Microsoft.

Users can check their portal settings with Microsoft’s tool

At the beginning of August, Microsoft announced that Power Apps portals will now default to storing API data and other information privately.

The Redmond company also released a tool customers can use to check their portal settings.

But, between Microsoft’s fixes and UpGuard’s own notifications, experts now say that the vast majority of the exposed portals, and all of the most sensitive ones, are now private.

With other things we’ve worked on, it’s public knowledge that cloud buckets can be misconfigured, so it’s not incumbent on us to help secure all of them. But no one had ever cleaned these up before, so we felt we had an ethical duty to secure at least the most sensitive ones before being able to talk about the systemic issues.

What’s your take on this whole situation? Share your thoughts with us in the comments section below.

This article covers:Topics: