Misused Microsoft tool leaked data from 47 organizations

New research shows that misconfigurations of a widely used web tool have led to tens of millions of data records leaking.

that of Microsoft Power applications, a popular development platform, enables organizations to quickly build web applications, populated with public websites and associated backend data management. Many governments have used Power Apps to quickly set up covid-19 contact tracing interfaces, for example.

However, incorrect product configurations can leave large amounts of data publicly exposed on the web, which is exactly what has happened.

Researchers at the cybersecurity company UpGuard recently discovered that up to 47 different entities, including governments, large corporations, and Microsoft itself, had misconfigured their Power Apps to leave data exposed.

The list includes very large institutions, including the state governments of Maryland and Indiana, and New York City public agencies, such as the MTA. Large private companies, including American Airlines and transport and logistics company JB Hunt, have also been leaked.

UpGuard researchers write that the leaked data treasures include many sensitive elements, including “Personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, job seekers’ social security numbers, employee IDs and millions of names and email addresses . “

According to the researchers, Microsoft itself apparently misconfigured a number of its own Power Apps databases, leaving large amounts of their records exposed. One of them apparently included a “collection of 332,000 email addresses and employee IDs used for Microsoft’s global payroll services,” the researchers write.

In June, UpGuard contacted Microsoft’s Security Resource Center to submit a vulnerability report, alerting them to the widespread problem. A total of 38 million recordings were apparently exposed as a result of the leaks observed by the researchers.

UpGuard ultimately concluded that Microsoft had not sufficiently addressed this security issue and that more should have been done to alert customers to the dangers of misconfiguration. The researchers write:

The number of accounts exposing sensitive information … indicates that the risk of this feature – the likelihood and impact of its bad configuration– was not sufficiently appreciated. On the one hand, the product documentation describes precisely what happens if an application is configured in this way. On the other hand, empirical evidence suggests that a disclaimer in the technical documentation is not enough to avoid the serious consequences of misconfiguring OData list feeds for Power Apps portals.

Following the UpGuard revelations, Microsoft has since changed Power Apps related permissions and defaults to make the product more secure.