Low-code Development Platform
Microsoft Power Apps refers to a suite of applications organizations use to create websites and build and customize business applications. Power Apps easily connect to and link multiple data sources. Thus, the low-code development platform allows not-so-technical users to build mobile applications that once only advanced developers could create. On Monday, security researchers from UpGuard, an information security company headquartered in Australia with multiple offices in the US, revealed that they discovered multiple data leaks resulting from misconfigured Power Apps. The security researchers first discovered the issue on May 24, 2021. They then spent subsequent weeks analyzing hundreds of portals. UpGuard submitted a vulnerability report to Microsoft on June 24. The 47 affected users included companies like American Airlines, J.B. Hunt, Ford and various Microsoft groups. As well as government bodies of Indiana, Maryland and NY City. “The number of accounts exposing sensitive information indicates that the risk of this feature – the likelihood and impact of its misconfiguration – has not been adequately appreciated,” the researchers wrote.
38 Million Records Left Exposed
Across all portals, the same misconfiguration exposed 38 million records in total. The information included Covid-19 contact tracing data, dates of births, addresses, employee IDs, and, in some cases, social security numbers. Ironically, the most serious exposure was a collection of 332,000 email addresses and employee IDs used for Microsoft’s global payroll services. Documentation that comes with Microsoft’s Power Apps Portals warns users that OData feeds are public if misconfigured. Microsoft also explains that to secure a list, users must “configure Table Permissions for the table for which records are being displayed and also set the Enable Table Permissions Boolean value on the list record to true”. However, UpGuard found that many users didn’t follow this step. As a result, they left their portal lists accessible to anyone. At the moment, it seems unlikely that cybercriminals misused any leaked information. However, the State of Indiana did notify people that data from the state’s COVID-19 online contact tracing survey was improperly accessed.
“Not a Security Flaw”
Microsoft reviewed the report. Apparently, the tech company determined that “this behavior is considered to be by design”, and thus not strictly a security flaw. They closed the case on June 29 and informed their government clients over the summer, leaving it up to UpGuard to notify other affected organizations. “While we understand (and agree with) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities,” the researchers wrote. Meanwhile, Microsoft has taken steps to better secure OData feeds. They have amended their documentation page, for example, adding an extra warning. Furthermore, they released a tool that can detect if lists allow anonymous access. Lastly, a Power App update now ensures that new portals will have all data formats secured by default.