An UpGuard Research team has found a security flaw in Microsoft Power Apps portals, which are said to have faced multiple leaks, exposed the data from as many as 38 million users. As per a report by the team, at least 47 entities have become victims of data breaches, owing to a vulnerability in the Microsoft portals. The Power Apps portals, which all access by the general public as well as firms and governments, were found to be harboring a “new vector of data exposure.”
The leaked data has apparently affected “governmental bodies” in multiple states, like Maryland, New York City, and Indiana. Private companies, like J.B Hunt, American Airlines, and even Microsoft itself, were also hit.
Specific Permissions Tampered With
Many entities use the Microsoft Power Apps portals to make “low code” apps, that are compatible with cloud services. The data stored on the same can be shared with both internal an external users, with data visibility to individual visitors being controlled through “specific permissions.” It is these permissions that were found to be harboring the permissions, say analysts.
As per the reports, due to the vulnerability, access to certain data that was meant only for authorized personnel, became available to anonymous users as well. The same occurred because an OData (Open Data Protocol) API was not functioning correctly.
In hindsight, the OData API is used to retrieve data from lists in Power Apps, with the lists in turn being derived from tables, which require “Table Permissions” to allow for the data to be shared. The API works securely only when two checks are in place. The first is that Table Permissions should be configured for the very Table from which the data is to be sourced. The second requires the Enable Table Permissions Boolean value to be set to “TRUE” on the list. Apparently, at least one of these checks were not configured, allowing anonymous users to access the data.
Poor Data Security
Interestingly, the report also notes that though many security reviews have been carried out into Microsoft Power Apps, they have failed to provide knowledge about the issue. Moreover, their very impact has not been publicized, and nor are they “adequately studied.”
However, this time around, the data has been risk has been identified, and shared in Power Apps’ product documentation. At the same time, UpGuard warns that a mere warning is not enough to avoid the “serious consequences.”