Microsoft’s Power Apps portals platform unintentionally exposed online 38 million records from 47 distinct organizations.
According to the disclosure that was made public on Monday, the exposed data contains details such as COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applications, employee IDs, names and email addresses.
A wide range of entities have reportedly been affected by the accident, including the states of Indiana, Maryland, and New York City, as well as private businesses such as American Airlines, Ford, J.B. Hunt, and Microsoft. According to the details that were revealed, 332,000 email addresses and employee IDs used by Microsoft’s global payroll services and 84,000 other records related to Business Tools Support and Mixed Reality portals were left in the open.
As described by Microsoft, Power Apps is an application development suite, as well as a data platform that offers a fast and flexible app development environment. The Microsoft-powered development platform is used for building low-code custom business apps that function across both mobile and web platforms. These apps incorporate prebuilt templates, as well as APIs that enable other apps to gain access to data, which includes the option to retrieve and store information.
According to the announcement made by researchers from UpGuard, if the portal’s setup related to data storage and sharing is set up incorrectly, it may potentially lead to a data breach that is publicly visible.
In their publication, the UpGuard Research team claimed it reported the data breach to Microsoft on June 24, 2021, but the company closed the case under the assumption that they had “determined that this behavior is considered to be by design”.
Following an abuse complaint submitted by the security firm with the authorities on July 15, Microsoft has released Portal Checker – a tool made to ensure that there are no configuration issues that can expose information. Since its release, the Portal Checker has received several updates that assure any newly created portals will have table permissions enforced for all forms and lists, regardless of the Enable Table Permissions setting.
Microsoft may have a point, as the issue is not strictly a software vulnerability, but security researchers are insisting that it is a platform issue that requires code changes to the product which should be treated with the same severity as software vulnerabilities.
While labels such as “end user misconfiguration” may help to identify a specific product configuration issue, a more comprehensive approach is to fix the problem that is causing the data to be breached in the first place.