Misconfigured Microsoft Power Apps Spill Sensitive DataAt Least 38 Million Records From Hundreds of Portals Exposed
At least 38 million records have been leaked by hundreds of online portals that were unwittingly misconfigured by organizations using Power Apps, a Microsoft service to quickly spin up web apps.
Among the companies and organizations that were leaking data are American Airlines, Ford Motor Co., J.B. Hunt, the Maryland Department of Health, the state of Indiana, New York City's Municipal Transportation Authority, NYC Schools and even Microsoft, which actually misconfigured several of its own portals, according to the security firm UpGuard.
The exposed data included personal information related to vaccine booking appointments, drug test dates, Social Security numbers, COVID-19 tests, employment and payroll-related information. Accessing the sensitive data involved a trivial modification to the URL for a Power Apps portal.
Microsoft has now changed a default setting in Power Apps to make using the service more secure and less likely to inadvertently expose data. Prior to the change, the company had warned in its Power Apps documentation of the danger of unsecure configurations, but that apparently went unnoticed.
The problem was discovered in June by UpGuard, which specializes in evaluating risks to data. Since then, UpGuard has contacted 47 affected organizations that had some of the most sensitive data exposed.
When UpGuard submitted a vulnerability report on June 24, in one email response, the Microsoft Security Response Center told UpGuard that the exposure of data was a by-design behavior.
However, Microsoft has since been proactively notifying organizations by email that have data exposed that should be private, according to the blog CRM Tip of the Day, which has screenshots of the emails.
Microsoft was correct that the issue technically wasn't a vulnerability, but it nonetheless had a serious impact, says Greg Pollock, vice president of cyber research at UpGuard.
"At first, I was very disappointed because I thought it was very clear it was a configuration issue that had serious data security impacts that should be taken seriously by them," Pollock tells Information Security Media Group.
In a statement, Microsoft says: "Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs."
Power Apps can use OData, or Open Data Protocol RESTful APIs, to display data on portals. Power Apps can be configured to require authentication for access to those OData list feeds or allow anonymous access.
OData APIs can pull data from lists, and those lists pull data from tables. Microsoft has a menu of permissions for the tables, but by default, those were off. Organizations needed to set them, and many didn't.
Microsoft has now changed that. As of Power Apps portals version 9.3.7.x, table permissions are now enforced by default for all lists, according to an Aug. 5 support note. Microsoft also issued updated guidance on securing lists and about how OData feeds work on Tuesday.
As UpGuard notes in its blog post, some kinds of data, such as the locations to receive COVID-19 vaccinations, are fine for public access. But the PII of those being vaccinated should not be available.
That's what happened to Denton County, Texas. The county had a Power Apps portal with several exposed OData lists. One dubbed “msemr_appointmentemrset,” which contained 632,171 records, had employee names and IDs, email addresses, phone numbers, birth dates, vaccination types and appointment dates and times.
Another type of list called “contactVaccinationSet” contained 400,091 records with full names and vaccination types. Yet another list called "contactset" had 253,844 records with full names and email addresses. UpGuard called the county on July 7, and the data was secured the same day.
The Right Move … Eventually
Why so many big-name companies missed that Microsoft's default settings posed a danger isn't exactly clear. But Pollock surmises that Power Apps was so easy to use that people likely just spun up applications without fully reading the documentation, which warned of unsecure configurations.
"If no one has reported an issue, then no one has ever checked for an issue," Pollock says.
Even Microsoft itself set up several Power Apps portals that were unsecured, including its Global Payroll Services Portal, which answered payroll questions from Microsoft contractors and employees. That portal exposed 332,000 records with full names, personal phone numbers, email addresses and employee IDs.
In another example, Microsoft had an unsecure portal that was used to manage customer engagements and programs, UpGuard's blog notes. That one exposed 277,400 records with full names and email addresses, and some exposed lists described what programs those people were involved with.
UpGuard put effort into contacting organizations that had some of the most severe exposures, but there are likely still some affected and not aware. Pollock says hopefully other organizations will check their settings now that the issue is receiving wide attention.
Pollock says the Power Apps situation harks back to the days when Amazon S3 buckets were commonly found left open on the web, resulting in data leakages. Amazon eventually changed the default settings to make those kind of configuration mistakes less common, he says.
In this case, Microsoft "eventually did the very right thing," Pollock says. "I think they could have done it sooner."