Due to privacy blunders in Microsoft Power Apps, many firms from different sectors leaked data online. These misconfigurations in Microsoft Power Apps allowed public access to millions of records, including personal data.
Microsoft Power Apps Misconfigurations Leaked Data
Researchers from UpGuard found multiple data leak instances affecting numerous firms. Specifically, they misconfigurations in Microsoft Power Apps that publicly exposed data from different organizations.
Power Apps is a graphical software from Microsoft’s Power Platform suite that helps write low-code custom business apps.
As elaborated in UpGuard’s blog post, the cybersecurity issue existed in the OData (Open Data Protocol) API. OData retrieves data from Power Apps “lists” – the configurations fetching data from tables for display on portals. Due to misconfiguration in these APIs, OData exposed records for anonymous public access.
Although, this isn’t an unknown issue, rather a predetermined feature about which Microsoft has already mentioned in its documents.
However, it became a problem since enabling the permission required an extra step from the developers when enabling OData feed.
When a developer enables the OData feed on the “OData Feed” list settings tab, they must also activate the “Enable Table Permissions” option on the “General” list settings tab unless they wish to make the OData feed public. This is due to all lists having table permissions disabled by default. Table permissions by default will in fact prevent anonymous data access, but lists ignore these permissions and any custom table permissions unless the developer activates table permissions for the list.
Eventually, this misconfiguration exposed personally identifiable information in 38 million records from 47 entities. Mentioning some of the names of affected firms, UpGuard stated,
UpGuard notified 47 entities of exposures involving personal information, including governmental bodies like Indiana, Maryland, and New York City, and private companies like American Airlines, J.B. Hunt, and Microsoft, for a total of 38 million records across all portals.
Microsoft Addressed The Issue
After discovering the problem, UpGuard notified the relevant organizations affected due to this breach. Also, they reached out to Microsoft via its MSRC to report the same.
Eventually, Microsoft addressed the matter by enabling the table permissions by default. Also, they released the “Portal Checker” tool for Power Apps portals. This tool detects lists allowing anonymous access to let the users decide the future permissions. This, together with the default permissions enabled, would perhaps alleviate the probabilities of such misconfigurations in the future.