Flaw in the Microsoft Power Apps exposes millions of records

Amer Owaida, Security Writer at ESET explains that the caches of data that were publicly accessible included names, email addresses and social security numbers were exposed due to misconfiguration.

Amer Owaida, security writer at ESET

A total of 38 million records stored across hundreds of Microsoft Power Apps portals have been found sitting unprotected on the internet. The treasure trove of data included a variety of personally identifiable information (PII) ranging from names and email addresses to social security numbers.

“The types of data varied between portals, including personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses,” UpGuard said in a blog post detailing its discovery.

If the data were to fall into the wrong hands, it could be abused by cybercriminals for all manner of illicit activities, ranging from phishing and other social engineering attacks all the way to identity theft. Alternatively, the data could end up being sold on the dark web.

The multiple data leaks discovered and reported by the researchers were found to originate from Microsoft Power Apps portals that were configured to allow public access. Microsoft Power Apps portals is a tool that allows anyone to create responsive websites and gives users both internal and external secure access to data either anonymously or by using commercial authentication providers.

To put it into simpler terms, the main issue was that instead of some types of data such as PII remaining private, the misconfiguration led to it being publicly accessible. “In cases like registration pages for COVID-19 vaccinations, there are data types that should be public, like the locations of vaccination sites and available appointment times, and sensitive data that should be private, like the personally identifying information of the people being vaccinated,” UpGuard explained.

All in all, 47 institutions, companies, and governmental bodies from across the United States were affected. The list includes American Airlines, car manufacturer Ford, logistics company J.B. Hunt, Maryland Department of Health, the New York City Municipal Transportation Authority, New York City Schools, and even Microsoft itself.

UpGuard first discovered a Power Apps portal that contained an unsecured list with PII on May 24th. The company went on to notify the application’s owner and the data was secured. However, the case raised questions whether there were more portals providing access to reams of poorly-secured sensitive data. An analysis found that there were many Power Apps portals that were likely to store sensitive information.

On June 24th, the company notified Microsoft by filing a vulnerability report with its Security Resource Center. Beyond communicating with the Redmond tech giant, UpGuard also notified the organizations they deemed had the most severe exposures.

Meanwhile, in response to the incident, Microsoft has taken steps to remedy the situation by releasing tools allowing users to self-diagnose their portals and enabled Table Permissions by default, which limits access to the list of data a user can see.

Nothing new
Misconfigured and unsecured internet-facing databases can be considered a perennial problem, over the past year there have been reports of numerous such incidents. In one recent case, the medical scans of millions of patients were exposed online, while another data leak involved the data of millions of hotel guests. Just days ago, the FBI-run Terrorist Screening Center (TSC) left a secret terrorist watchlist unsecured on the internet for three weeks.

Comments

Comments