Power Apps Users Inadvertently Exposed 38M Personal Info Records
Business and government application developers inadvertently exposed a total of 38 million records because of Microsoft's design of its Power Apps application-building service, according to a Monday announcement by UpGuard.
The kind of information that was accessible included names, e-mail addresses, Social Security numbers, COVID-19 information, and more. The exposure of this personally identifiable information was first noticed on May 24, 2021 by a researcher at UpGuard, a Hobart, Australia-based maker of a cybersecurity platform for avoiding data breaches
On June 24, UpGuard notified Microsoft of the data exposures enabled by Power Apps application builders.
Microsoft eventually redesigned Power Apps to avoid future data exposures, although exactly when that change occurred wasn't indicated. However, UpGuard described going through a difficult process in getting to that point.
For instance, after being informed of the issue on June 24, Microsoft later closed the case with UpGuard on June 29, stating that the product was working by design.
Anonymous Access to Power Apps List Data
It was only later, after UpGuard began telling organizations about the exposed information, that Microsoft acted. In essence, Microsoft redesigned Power Apps to make it a little more difficult to mistakenly configure Open Data Protocol (OData) sharing permissions when using list data in tables.
To hear UpGuard tell it, developers using lists with Power Apps had inadvertently enabled anonymous access to that data:
Table permissions by default will in fact prevent anonymous data access, but lists ignore these permissions and any custom table permissions unless the developer activates table permissions for the list.
At least, that was the state of Power Apps portals in June, 2021. As a result of this research project, Microsoft has since made changes to Power Apps portals such that table permissions are enabled by default.
Based on that description of the problem, it's no wonder that Power Apps developers would be confused enough to misconfigure their apps.
UpGuard experienced difficulties trying to inform organizations that they had personally identifiable information exposed.
UpGuard reached out to American Airlines, Ford and J.B. Hunt, plus government agencies such as Denton County, Texas, the Maryland Department of Health, the New York City Municipal Transportation Authority and New York City schools, and the state of Indiana. The latter entity accused UpGuard of improperly accessing its data, according to UpGuard. Other organizations, especially public institutions, were slow to react.
Even Microsoft had apps that exposed its employee information, including data associated with its Global Payroll Services portal.
Microsoft, despite UpGuard's disclosure, seems to be currently remaining mum on the whole affair. UpGuard indicated that Microsoft had contacted affected parties, though. Microsoft also released a Portal Checker tool that "can be used to detect lists that allow anonymous access," UpGuard indicated. Microsoft turned on table permissions by default with Power Apps 9.3.7.x, per this Microsoft document.
UpGuard offered general "lessons learned" from its experience with Microsoft, saying that Microsoft did "the best thing they can, which is to enable table permissions by default" and provide diagnostic tooling. However, platform makers could improve matters to avoid such data leaks in the first place. UpGuard also noticed that organizations using the Power Apps service generally lacked access to log data to find out if the data got accessed.
UpGuard also express hopes for a more easy way to contact organizations about data breaches.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.