[BreachExchange] Misconfigured Microsoft Power Apps applications found to expose 38M records

Tue Aug 24 09:03:16 EDT 2021

https://siliconangle.com/2021/08/23/misconfigured-microsoft-power-apps-applications-found-expose-38m-records/

Misconfigured applications built using Microsoft Corp.’s Power Apps
platform made 38 million records publicly available on the open web,
according to newly released cybersecurity research.

The data leaks were the result of a default setting in the platform that
made applications’ information data accessible without a password.

The research detailing the issue was published today by UpGuard Inc., a San
Francisco startup that makes software for finding vulnerabilities in
companies’ technology infrastructure. The startup notified Microsoft before
releasing its findings. The technology giant rolled out an update to
address the data leaks earlier this month and the vast majority of affected
Power Apps applications now no longer allow access to their information,
UpGuard said.

Power Apps is a low-code development platform sold by Microsoft that
enables business users without extensive programming expertise to quickly
create custom applications. Applications built with Power Apps can be used
to automate internal business tasks at a company, like copying purchase
logs from one database to another. The platform also lends itself to
building websites such as customer support portals.

Earlier this year, an UpGuard cybersecurity expert came across a website
created with Power Apps that exposed personal information via an
application programming interface. The company notified the website’s
operator and the issue was resolved. Afterwards, UpGuard began
investigating whether there may be other Power Apps applications with the
same issue.

Over the course of its research, the company found more than 1,000 Power
Apps applications that inadvertently made their data accessible via the
open web. Among the applications were workloads developed by major
enterprises such as Ford Motor Co., American Airlines Inc. and Microsoft
itself. A number of services built by public sector organizations were
affected as well.

UpGuard determined that the affected applications exposed about 38 million
records, some of which contained sensitive information such as Social
Security numbers and personal information used for COVID-19 contact tracing.

The data leaks occurred because the operators of the affected applications
didn’t enable a key security setting in Power Apps.

Applications created with Power Apps keep their information in
spreadsheets. Those spreadsheets are hosted in a Microsoft service called
Dataverse. Until August, information in applications’ spreadsheets could by
default be accessed without a password through an application programming
interface. Companies had to specifically enable a privacy setting via the
Power Apps management console to prevent Power Apps from making information
publicly accessible.

“When a developer enables the OData feed on the ‘OData Feed’ list settings
tab, they must also activate the ‘Enable Table Permissions’ option on the
“General” list settings tab unless they wish to make the OData feed
public,” UpGuard researchers detailed in a blog post.

In the early August update that resolved the issue, Microsoft changed the
Power Apps settings to make application data inaccessible by default.
UpGuard told Wired that the vast majority of affected applications it has
found no longer make their information publicly accessible, including all
the applications containing sensitive information.

“Additionally, Microsoft has released a tool for checking Power Apps
portals and planned changes to the product so that table permissions will
be enforced by default,” UpGuard researchers wrote. “To diagnose
configuration issues, the Portal Checker can be used to detect lists that
allow anonymous access. More importantly, newly created Power Apps portals
will have table permissions enabled by default. Tables configurations can
still be changed to allow for anonymous access, but defaulting to
permissions enabled will greatly reduce the risk of future
misconfiguration.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210824/ec70a23c/attachment.html>