Over 38 million records from 47 users of Microsoft’s Power Apps were left exposed online. The issue was called a “new vector of data exposure” and raised fresh security concerns over storing large amounts of sensitive data in the cloud.
“The types of data varied between portals, including personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses,” UpGuard Research team said in a disclosure published on Monday.
Various governments and companies have been affected by the leak. Some of these include governmental entities from Indiana, Maryland, and New York City, and such private companies as American Airlines, Ford, J.B. Hunt, and Microsoft itself.
Among the sensitive information that was left bare open were the email addresses and employee IDs of over 330,000 Microsoft employees and over 85,000 records from its Business Tools Support and Mixed Reality portals.
Power Apps is a platform that enables developers to create business apps that run on both the web and mobile platforms. It offers pre-built templates and APIs that allow users to interact with data in various ways. In the company’s own words, it is a “suite of apps, services, and connectors, as well as a data platform, that provides a rapid development environment to build custom apps for your business needs.”
It was revealed due to a misconfiguration in the way a portal could share and store data, a leak could happen and expose sensitive information to the public.
“Power Apps portals have options built in for sharing data, but they also have built in data types that are inherently sensitive,” the researchers said. “In cases like registration pages for COVID-19 vaccinations, there are data types that should be public, like the locations of vaccination sites and available appointment times, and sensitive data that should be private, like the personally identifying information of the people being vaccinated.”
Security firm UpGuard said it notified Microsoft about a data leak in June 2021, the severity of which the company initially downplayed, but later alerted its government cloud customers of the issue.
In addition, Microsoft has also released Portal Checker tool to diagnose issues related to a misconfiguration in cloud configurations. It also made updates so that “newly created portals will have table permissions enforced for all forms and lists irrespective of the Enable Table Permissions setting.”
“While we understand (and agree with) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities,” the researchers noted.
“It is a better resolution to change the product in response to observed user behaviors than to label systemic loss of data confidentiality an end user misconfiguration, allowing the problem to persist and exposing end users to the cybersecurity risk of a data breach.”