According to experts, some 38 million records from over a thousand web apps that use Microsoft’s Power Apps portals platform were left accessible online. Data from COVID-19 contact tracing operations, vaccine registrations, and employee databases, including home addresses, phone numbers, social security numbers, and vaccination status, is believed to have been included in the records.
According to Wired, the event exposed data from a number of significant organisations and institutions, including American Airlines, Ford, the Indiana Department of Health, and New York City public schools. The vulnerability has been mainly fixed.
In May, researchers from the security firm Upguard began investigating the problem. They discovered that data from several Power Apps portals, which was intended to be secret, was accessible to anyone who knew where to look.
Customers can use the Power Apps offering to easily create their own web and mobile apps. It provides developers with application programming interfaces (APIs) to use with the data they collect. Upguard discovered, however, that accessing those APIs makes data received through Power Apps Portals public by default, necessitating manual reconfiguration to keep the information private.
According to Upguard, on June 24th, it provided a vulnerability report to the Microsoft Security Resource Center, which included links to Power Apps portal accounts with sensitive data exposed and methods to discover APIs that allowed anonymous data access. Researchers collaborated with Microsoft to figure out how to replicate the problem. However, an Microsoft analyst told the firm on June 29th that the case was closed and they “determined that this behavior is considered to be by design.”
Upguard then began alerting some of the affected businesses and organisations, prompting them to take steps to secure their data. On July 15th, it filed an abuse report with Microsoft. The majority of the data from the Power Apps portals in question, including the most sensitive information, had been made private by July 19th, according to the business.
Microsoft provided Engadget with the following statement after this story was first published:
“Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”
Microsoft said earlier this month that when developers use the Power Apps portal APIs, data will be kept private by default. It also released a tool that allows developers to double-check their settings.
There’s no evidence that any of the disclosed data has been tampered with yet. According to Upguard, 332,000 email addresses and Microsoft employee IDs used for payroll were among the most sensitive information left exposed. More than 39,000 records from portals related to Microsoft Mixed Reality, including users’ names and email addresses, were also exposed, according to the company.
The event highlights the reality that even seemingly modest misconfigurations can result in significant data breaches. Thankfully, that does not appear to be the case here. Even still, it goes to illustrate that developers should double-check their settings, especially when using an API that they didn’t create.