47 government and private organizations failed to read Microsoft Power Apps manual, and implemented misconfigured public-facing applications. This exposed an astounding 38 million data records including personal information, social security numbers as well as COVID-19 vaccination details.
Enterprise security company UpGuard on Monday disclosed leaks of tens of millions of data records including personal information about COVID-19 vaccinations. In total, the leaks exposed 38 million data records as a result of misconfigured low-code app service known as Microsoft Power Apps that organizations leverage.
Microsoft Power Apps are a way for organizations to seamlessly create business intelligence tools. It also enables them to let users access relevant data when configured correctly. Unfortunately for all those affected including those whose data was leaked, a certain API was turned on by default for Power Apps.
Consequently, data of 47 government and private organizations was exposed. One such entity, the State of Indiana Department of Health confirmed the leak last week. “The Indiana Department of Health (IDOH) is notifying nearly 750,000 Hoosiers that data from the state’s COVID-19 online contact tracing survey was improperly accessed. The data included name, address, email, gender, ethnicity and race, and date of birth,†the State of Indiana said.
Indiana’s chief information officer Tracy BarnesOpens a new window wasn’t particularly happy with UpGuard’s approach. He saidOpens a new window , “The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business.â€
It’s hard to say if that’s true but considering what’s at stake, it seems like the wrong time to lash out at the company who discovered the leak.
Discovery of Microsoft Power Apps Data Leak
The leak was discovered in May 2021 when an UpGuard analyst found out that the OData API for a Power Apps portal had anonymously accessible data organized as lists including personally identifiable information. This setting is on by default meaning the leak itself isn’t caused by a vulnerability in the exact sense of the word. This is validated by the fact that data organized as tables is kept secured in Power Apps.
Websites using Power Apps are usually designed to exchange personal information and generally are customer-facing. It also helps establish interactions with data from Microsoft Dataverse or Microsoft data sources such as SharePoint, Microsoft 365, Dynamics 365, SQL Server So when UpGuard researchers tried to access this entire list data that was exposed, they found over one thousand OData lists were configured by default to be publicly accessible for each portal.
Subsequently, UpGuard apprised Microsoft of their findings as a vulnerability in June. The company also notified all affected parties to secure their data before Microsoft made necessary changes.Â
Opens a new window Microsoft Response to UpGuard | Source: UpGuardOpens a new window
“While we understand (and agree with) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities,†UpGuard said.
“It is a better resolution to change the product in response to observed user behaviors than to label systemic loss of data confidentiality an end user misconfiguration, allowing the problem to persist and exposing end users to the cybersecurity risk of a data breach.â€
See Also: Microsoft’s Cloud Misconfiguration Blunder May Have Cost Them 63 GB of Sensitive Data
What Was Leaked and Who Was Affected?
UpGuard identified 47 public and private entities affected by the leak that encompasses 38 million data records. Data records that were exposed include COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, names, and email addresses.
Organizations which were exposed due to the misconfiguration are:
| Name |
No. of Data Records |
Data Type Exposed |
|
American Airlines |
398,890 |
|
|
Denton County, TX |
632,171 |
|
|
400,091 |
|
|
|
253,844 |
|
|
|
Ford |
104,578 |
|
|
101,895 |
|
|
|
J.B Hunt |
905,228 |
|
|
253,288 |
|
|
|
51,028 |
|
|
|
5,843 |
|
|
|
Maryland Department of Health |
280,410 |
|
|
108,102 |
|
|
|
New York City Municipal Transportation Authority |
78,865 |
|
|
63,706 |
|
|
|
52,253 |
|
|
|
NYC Department of Education |
412,220 |
|
|
291,955 |
|
|
|
747,980 |
|
|
|
339,260 |
|
|
|
Microsoft Global Payroll Services |
332,000 |
|
|
Microsoft Business Tools Support |
45,810 |
|
|
Microsoft Customer Insights Portal |
277,400 |
|
|
Microsoft Mixed Reality |
39,210 |
|
|
Microsoft Azure China |
7,936 |
|
|
1,264 |
|
Of these, UpGuard signed a declaration the State of Indiana that certifies:
- That data was publicly exposed
- The number of individuals affected
- The types of data exposed
- That UpGuard had destroyed its copy of the data
Please note that Azure China is operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. (21Vianet), a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd.
See Also: How To Overcome the Cloud Misconfiguration Threat and Avoid Unexpected Costs
What Microsoft Did In Response to the Leak?
Initially, nothing, since the ‘behavior is by design.’ Later, Redmond notified its government customers and possibly others as well. “We did not receive that notification, of course, but could observe its effect in that several lists for portals on powerappsportals.us that had been public in June were no longer public by the end of July,†UpGuard said.
Jukka NiiranenOpens a new window , Power Apps platform advisor and co-founder at Forward Forever through a post on LinkedInOpens a new window said, “Whenever I present to customers the different types of Power Apps types, I try to get the message across that Portals aren’t something you want to try and build with a ‘citizen developer’ skillset.â€
He adds, “The world of complexity that lies behind the product is scary even for many XRM veterans like myself. Sure, it may well be the best route for building online services on top of processes managed in Dataverse, but it’s nothing like building a Canvas or Model-driven app.â€
Heeding Niiranen’s advice, a good way to ensure security of data in Power Apps would be to leverage Portal CheckerOpens a new window , a tool Microsoft recently released. Portal Checker allows developers to check if lists are publicly accessible and exposed.
Closing Thoughts
Misconfigurations have been a problem since a while now. Aqua Security foundOpens a new window that 90% of companies are vulnerable to cloud misconfigurations. While this leak from Microsoft Power Apps isn’t necessarily linked to a misconfigured cloud, it does underline the necessity of appropriating best practices for good security hygiene.
SaaS vendors need to make it clear to clients of the associated risks through relevant documentation or an intermediary. Clients, on the other hand, need to select the safest course of action only after perusing all the features.
Not like we don’t give you any warnings… These could be worded better, I’ll admit. But we all know the problem with warning messages 🙂 pic.twitter.com/owKS8E46ihOpens a new window
— Will Thompson (@Will_MI77) August 23, 2021Opens a new window
UpGuard didn’t say if any of the data was compromised in a breach.
Let us know if you enjoyed reading this story on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!