Misconfigured Microsoft Power Apps blamed for exposing 38 million records

Data leak, theft, and hacks became pretty standard, and this time, sensitive data leaked because of misconfigured Microsoft Power Apps. Microsoft Windows has one of the most widespread and secured operating systems globally, along with cloud integrations, software, and many more services. Privacy companies, along with forty-seven government bodies and entities, exposed 38 million sensitive data records. The data sets include even tech giant Microsoft's low-code services. Low-code or no-code services allow customers to built their own apps with little to no skill of coding.

Data was exposed among 47 entities and big titles, which the companies and platforms were unaware of. Nowadays, no-code platforms are generally used for the mass market, giving clients and customers easier access to create their apps for making internal and external data sets. UpGuard recently published an announcement of the leak, which said from OData APIs that "either anonymously or through commercial authentication." Many Low-code apps are currently appointed to Covid related applications, employee ID, job applicant tracking, vaccine appointments, and related fields. Similar to other apps, default permission on Microsoft Power Apps is the main culprit for the data exposition.

Researchers said, "While we understand (and agree with) Microsoft's position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities." They also added, "It is a better resolution to change the product in response to observed user behaviours than to label systemic loss of data confidentiality and end-user misconfiguration, allowing the problem to persist and exposing end users to the cybersecurity risk of a data breach."

The issue was first identified by UpGuard on 24th May as they did an in-depth analysis report on the matter and submitted a vulnerability report directly to Microsoft. In response, Microsoft took initial steps to investigate the matter further. As a result, Microsoft allowed OData feeds to allow anonymous data access lists on 24th June, alongside URLs that helped expose sensitive information on visible or unsecured accounts.

Five days later, Microsoft closed the case and reported that the applications were supposed to work that way by design. UpGuard started alarming affected parties about the data exposure, and when Microsoft found out almost all parties were informed, they decided to take action more strictly. Confirmation from Microsoft employees came as "the data OData feeds are anonymous and accessible by anyone that can access the portal. They do not need to be signed I and will not need any entity permission to access the data."

There are several data types, including sensitive ones like "msemr_appointment," which is used to store appointments and is a robust schema in the Power Apps catalogue. Lists and tables are there to form data in easy accessibility from which the power apps feed. There is also a "General" listing along with the "Enable Table Permissions" option, clearly visible for anyone on the portal. This causes a severe concern for many customers that UpGuard became aware of the subdomain "poweappsporatls.com."

The platform discovered over a thousand anonymously accessible lists, including American Airlines which data was accessed on 2nd July but four days later it was patched, Denton County (TX), Ford, J.B. Hunt, Maryland Department of Health, New York City Municipal Transportation Authority and NYC Schools were some of the customers of the service including Global Payroll Services. Business Tools support found 45,810 "Contact" lists aligned with 277,400 records of customer's names and business emails where Microsoft company mails were not in most of them. Microsoft services are integrated throughout the platform, and any issue regarding the leaking of sensitive information should be fixed soon.