Misconfigured Microsoft Power Apps Portals Exposed Millions of Records
UpGuard security researchers have identified tens of Microsoft Power Apps portals that exposed millions of records due to being misconfigured.
Microsoft Power Apps portals allow organizations to create different types of websites – including social engagement application platforms, ecommerce portals, and services and support sites – that can be shared externally or internally.
Access to the portals should be provided in a secure manner, either anonymously or through commercial authentication providers, including Facebook, Google, LinkedIn, or Microsoft.
Misconfigurations, however, may lead to unauthorized access to data, and UpGuard says it has identified a total of 47 such instances. Ranging from airlines to government organizations and Microsoft themselves, these entities exposed to the Internet 38 million records across all portals.
Following the discovery of an incident where personally identifiable information (PII) was being exposed through the OData API for a Power Apps portal, UpGuard launched an investigation to identify additional instances, and discovered that tens of other portals on powerappsportals.us exposed data through the OData APIs.
The 38 million exposed records that UpGuard identified contained various amounts of personally identifiable information, including names, addresses, phone numbers, email addresses, birth dates, vaccination types, COVID-19 testing appointment information, employer IDs, job types, and even Social Security Numbers in some cases.
Some of the affected entities include American Airlines (869,290 records), Denton County, TX (1,286,106 records), Ford (104,578 records), J.B. Hunt (962,099 records), Maryland Department of Health (388,512 records), New York City Municipal Transportation Authority and NYC Schools (898,999 records), State of Indiana (1,087,240 records), and Microsoft portals (Global Payroll Services – 332,000 records; Business Tools Support – 45,810 records; Customer Insights Portal – 277,400 records; Mixed Reality – 39,210 records; Azure China – 9,200 records).
The researchers first notified Microsoft of the issue on June 24, which told them about a week later that the reported behavior “is considered to be by design.” Next, UpGuard started notifying the affected parties, most of which secured the exposed data almost immediately.
“Microsoft eventually did take follow up actions. At some point, Microsoft notified government cloud customers of this issue. We did not receive that notification, of course, but could observe its effect in that several lists for portals on powerappsportals.us that had been public in June were no longer public by the end of July,” UpGuard says.
Microsoft also released a tool for checking Power Apps portals to make sure that no anonymous access is allowed and that permissions are enforced as intended. Overall, the identified issue is not seen as a software vulnerability, but rather as a misconfiguration, yet UpGuard believes that “it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities.”
“This is a great example of how the impact UI design decisions can have on the decisions users make. The anonymous access enabled in Power Apps is a result of two settings that are located in different tabs in a configuration dialog box. If you enable one and skip the other, you allow everyone on the internet to access your table contents. This behavior is by design and documented, but the connection between the settings is not obvious for someone designing the application,” Ilia Sotnikov, VP at Netwrix, said in an emailed comment.
“Power Aps allow [us] to build and quickly launch no code or low code applications. Since this is hosted by Microsoft, this may create a false sense of security for a customer that just puts together the building blocks. Companies still must take time to learn the security features and the access model of the cloud platforms they use. They also should do at least basic threat modelling and security review for the applications they build and launch,” Sotnikov added.