According to researchers, around 38 million documents from thousands of web applications that use Microsoft's Power Apps platform have been exposed online. The records are said to contain data from COVID-19 tracking activities, vaccine registrations, and employee databases such as home addresses, phone numbers, social security numbers, and vaccination status.
According to Wired, the leak revealed data from some major US companies and institutions, including American Airlines, Ford, the Indiana Department of Health, and New York public schools. The vulnerability has mostly been patched. Company researchers Upguardsecurity company began investigating this issue in May of this year. They found that data from many portals Power Apps, which were supposed to be private, were available to anyone who knew where to find them.
According to researchers, around 38 million documents from thousands of web applications that use Microsoft's Power Apps platform have been exposed online.
Service Power Apps is a low-code platform that aims to make it easier for customers to create their own web and mobile applications, along with a frontend and backend (mainly for internal use). It is a useful service because it allows people who do not have programming skills to create practical applications. It also offers an API for developers that they can use with the data they collect. However, Upguard has found that by default, the use of these APIs makes data obtained through the Power Apps portals public, and that manual reconfiguration is required to keep the information private.
Upguard says it sent a vulnerability report to Microsoft Security Resource Center, including links to accounts of the Power Apps portals where confidential data was disclosed and steps to identify the API that allowed anonymous access to the data. Researchers worked with Microsoft to explain how to reproduce the problem, but a Microsoft analyst told the company on June 29 that the case was closed and “it was determined that this behavior was considered design conform.”
Upguard then started notifying some of the interested companies and organizations that have decided to block their data. An abuse was also reported at Microsoft on July 15. The company says that by July 19, most of the data from the Power Apps portals, including the most sensitive information, had been classified.
“Our products provide customers with flexibility and privacy features to design scalable solutions that meet a variety of needs. We take security and privacy seriously and encourage our customers to use best practices when configuring products in a way that best meets their privacy needs. ”
It cannot be denied that the fault here largely rests with companies and organizations that left the default settings, exposing themselves to data leakage, but on the other hand, the Power Apps platform is aimed at less experienced people who want to easily create applications quickly. for their own use, so Microsoft could have anticipated this. The giant apparently realized its mistake as it announced earlier this month that portal applications Power Apps will keep the data private by default when developers use the API. In addition, it has provided a tool for developers to check their settings.
So far, there is no indication that any of the data disclosed has been used. Among the most sensitive information released were 332,000 e-mail addresses and Microsoft employee IDs that are used for payroll processing. The company also says that more than 39,000 documents from portals related to Microsoft Mixed Reality, including usernames and email addresses, have been disclosed.
The incident underscores the fact that a misconfiguration, even an apparently minor one, can lead to serious consequences. Therefore, developers should double-check their settings, especially when plugging in an API that they didn't design themselves.
We stand by the rights of the original author of the post, no matter what. We always respect and prioritize the copyright of the content and always include the original link of the source article. If the author of the original article has any issue with it, just leave a report below, we’ll edit it or delete it. Whatever it takes. We will make it right as quickly as possible to protect the rights of the author.
Thank you very much! Best regards!