Misconfiguration in Microsoft Power Apps exposed 38 million records

Misconfiguration in Microsoft Power Apps exposed 38 million records

There seems to be no end in sight regarding the exposure of sensitive data due to misconfigurations. Microsoft’s Power Apps platform exposed 38 million records to the general public on the open web due to misconfiguration, according to newly released cybersecurity research.

The data leaks resulted from a default setting in the platform that made apps’ information accessible without authentication.

The research detailing the issues was published by UpGuard, a San Francisco startup that makes software to find vulnerabilities in companies’ technology infrastructure.

The startup that found the flaw

The startup notified Microsoft before it released the findings. The tech giant rolled out a patch to address the leaks earlier this month, with many of the affected Power App applications now no longer at risk.

Power Apps is a low-code devs platform sold by Microsoft to enable users without extensive programming knowledge to quickly create custom apps. Apps built with Power Apps are used for things like automating internal business tasks like copying purchase logs from one database to another.

The platform is also suitable for building websites like customer support tools and provisions. UpGuard came across a website created with Power Apps that exposed personal information via the API (application programming interface).

The investigation

After that, UpGuard started to investigate whether there could be other Power Apps with the same problem.

As the research took off, the company found more than 1000 Power App applications that inadvertently made their data accessible through the open web. Among the apps were workloads developed by major companies like American Airlines, Microsoft itself, and Ford Motor Company.

Some public sector organizations that used the platform were affected too. Up to 38 million records were exposed for some time, containing sensitive details like Social Security numbers and personal Covid-19 contact tracing information.