38 million records exposed because companies used default configs in Microsoft Power Apps

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,988
Power Apps is Microsoft's low-code platform for organizations to quickly develop full-fledged applications, mostly for internal use, complete with a frontend and a backend. It is a powerful utility that allows you to build apps, even if you're not well-skilled in programming. Microsoft regularly updates Power Apps with new features and capabilities. However, a new report might be cause for concern for organizations as it appears that over 38 million records have leaked online because of people using default configurations in Microsoft Power Apps.

As reported by Wired, security firm Upguard has highlighted that thousands of web apps made by multiple companies have been exposing sensitive information through public-facing Power Apps portals. According to the report, 38 million records were available to the public and contained information about COVID-19 contact-tracing information, employee databases, job information, phone numbers, social security numbers, and home addresses. Apparently, some of Microsoft's own apps also displayed the same behavior.

Upguard says that when enabling APIs for Power Apps, the default configuration used to be such that any data hosted is publicly accessible. Anyone who had access to a portal's URL can utilize it to scrape data belonging to another entity.

The security firm reported its findings to Microsoft as well, and as a result, the Redmond tech giant released an update in August to make APIs private by default. It also rolled out a tool so organizations can check the security settings of their Power Apps portals.

This is certainly an interesting case in terms of defining where the blame lies. While the onus should be on organizations to properly configure their Power Apps, having the APIs public by default is a bit of an odd design decision by Microsoft as well. Many companies use Power Apps to build applications for internal use and publish them immediately, so security is probably not the top priority in a lot of use-cases. It is currently unknown if the 38 million records in question were scraped by someone but it has been revealed that multiple companies including Ford, J.B. Hunt, and American Airlines were impacted by the misconfiguration.
 
Top