Misconfiguration in Microsoft Power Apps portals expose 38 million records

Security researchers found that a large number of web apps using Microsoft’s Power Apps portals exposed 38 million records on the open Internet as a result of a simple misconfiguration. While the issue has since been resolved, it should be a lesson learned that security settings for a low-code platform should include a privacy switch turned on by default.

The growing trend of large-scale security blunders is far from over, as evidenced by research that shows around 38 million records from over a thousand web apps that were built using Microsoft’s Power Apps platform were exposed to the open Internet. This includes data from employee databases, app portals, vaccination signup tools, and coronavirus contact tracing platforms, on top of things like phone numbers, social security numbers, and home addresses.

To get an idea of the gravity of this incident, the data belongs to a number of large companies such as Ford, American Airlines, J.B. Hunt, as well as institutions like New York City public schools, the Maryland Department of Health, the New York City Municipal Transportation Authority, and the Indiana Department of Health. Even some Microsoft-made apps are affected, with over 332,000 email addresses and employee IDs exposed.

According to a Wired report, researchers at security company Upguard discovered the issue in May. Their investigation concluded that over a thousand data sets from Power Apps portals that were supposed to be private had been rendered accessible by a seemingly minor misconfiguration. In short, the data obtained by developers through Power Apps portals was public by default, and so they would need to manually set it to private if desired.

Upguard reported the issue to the Microsoft Security Resource Center on June 24, but the latter responded by explaining that this behavior was actually “by design.” Researchers then started notifying the affected organizations, and a month later, almost all of the exposed data had been made private.

The good news is the issue has since been resolved by Microsoft, who changed the design of Power Apps portals to keep data private as the default behavior and released a tool for developers to check if their portal security settings allow data to be publicly accessible. Upguard says that it found no indication that the exposed data has been compromised, so the affected organizations can at least breathe a sigh of relief.

In a statement, Microsoft explained, “our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”