38 Million User Records Leaked Due to Misconfiguration of Microsoft Power Apps

Security researchers from UpGuard have discovered more than 38 million public records belonging to 47 different organizations, apparently leaked to the network due to misconfiguration of Microsoft Power Apps.

PowerApps is a platform for business users. It allows creating custom business applications that run on mobile devices and the Internet, based on ready-made templates, and also offers APIs for providing access to data, including various options for obtaining and storing information.

The leak reportedly affected government agencies in Indiana, Maryland and New York, as well as private companies, including giants such as American Airlines, Ford, JB Hunt and even Microsoft itself.

The types of data varied from portal to portal, and included personal information used to track contacts with people infected with COVID-19, designated dates for COVID-19 vaccinations, social security numbers for job seekers, employee IDs, and millions of names and email addresses.Says UpGuard

For example, 332,000 email addresses and employee IDs used to calculate payroll at Microsoft were publicly available, as well as more than 85,000 records associated with the Business Tools Support and Mixed Reality portals.

Microsoft Power Apps misconfiguration

Experts write that all this data was available to anyone due to mistake and leaked through the OData PowerApps API. The problem lay in the misconfiguration of how exactly the portal can exchange data and store it. The fact is that to protect information, it is necessary not only to set specific Table Permissions for tables, but also to activate Enable Table Permissions. Alas, many did not.

Power Apps portals have built-in options for sharing data, but they also work with data types that are inherently sensitive. In cases like COVID-19 vaccination registration pages, some types of data should be publicly available, such as vaccination site addresses and available appointment times, but there are also sensitive data that should be kept private, such as personal information about vaccinated people.the experts explain

Researchers notified Microsoft of the data breach as early as June 24, 2021, but at first the company refused to acknowledge this as a vulnerability and a problem, saying that this was a “deliberate” behavior of the system.

However, Microsoft subsequently took steps to alert its customers to the problem, and released a Portal Checker tool designed to detect leaks due to misconfiguration. Then the company made changes to the Power App, thanks to which all new portals use Table Permissions for all forms and lists, regardless of the Enable Table Permissions value.

Let me remind you that we wrote that Microsoft and Eclypsium got into serious debate over Dell SupportAssist vulnerabilities.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button