38 million records exposed because companies used default configs in Microsoft Power Apps

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,567
Content source
https://www.neowin.net/news/38-million-records-exposed-because-companies-used-default-configs-in-microsoft-power-apps/
Power Apps is Microsoft's low-code platform for organizations to quickly develop full-fledged applications, mostly for internal use, complete with a frontend and a backend. It is a powerful utility that allows you to build apps, even if you're not well-skilled in programming. Microsoft regularly updates Power Apps with new features and capabilities. However, a new report might be cause for concern for organizations as it appears that over 38 million records have leaked online because of people using default configurations in Microsoft Power Apps.

As reported by Wired, security firm Upguard has highlighted that thousands of web apps made by multiple companies have been exposing sensitive information through public-facing Power Apps portals. According to the report, 38 million records were available to the public and contained information about COVID-19 contact-tracing information, employee databases, job information, phone numbers, social security numbers, and home addresses. Apparently, some of Microsoft's own apps also displayed the same behavior.

Upguard says that when enabling APIs for Power Apps, the default configuration used to be such that any data hosted is publicly accessible. Anyone who had access to a portal's URL can utilize it to scrape data belonging to another entity.

The security firm reported its findings to Microsoft as well, and as a result, the Redmond tech giant released an update in August to make APIs private by default. It also rolled out a tool so organizations can check the security settings of their Power Apps portals.

This is certainly an interesting case in terms of defining where the blame lies. While the onus should be on organizations to properly configure their Power Apps, having the APIs public by default is a bit of an odd design decision by Microsoft as well. Many companies use Power Apps to build applications for internal use and publish them immediately, so security is probably not the top priority in a lot of use-cases. It is currently unknown if the 38 million records in question were scraped by someone but it has been revealed that multiple companies including Ford, J.B. Hunt, and American Airlines were impacted by the misconfiguration.
Click to expand...
 
  • Like
  • Wow
  • +Reputation
Reactions: CyberTech, upnorth, Nevi and 7 others
You must log in or register to reply here.

Similar threads

CyberTech
    • Like
    • +Reputation
    • Applause
Android spyware camouflaged as VPN, chat apps on Google Play
Replies
0
Views
906
News Archive
CyberTech
CyberTech
vtqhtr413
    • Like
    • +Reputation
Hot Take First look at the new All Apps section of Windows 11 Start Menu
Replies
0
Views
234
Windows 11
vtqhtr413
vtqhtr413
Gandalf_The_Grey
    • Like
    • +Reputation
    • Wow
New 'HTTP/2 Rapid Reset' zero-day attack breaks DDoS records
Replies
0
Views
1,197
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top