Misconfiguration of Microsoft’s Power Apps portals exposed personal data related to 47 government entities and private companies including Microsoft visible on the internet.
Disclosed by security company UpGuard, the multiple data leaks unintentionally exposed a total of 38 million records, which included personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses.
The companies affected by the breach include governmental bodies like Indiana, Maryland, and New York City, and private companies like American Airlines, J.B. Hunt, and Microsoft.
Microsoft describes Power Apps as a “suite of apps, services, and connectors, as well as a data platform, that provides a rapid development environment to build custom apps for your business needs.”
This tool is used by Microsoft customers to create public websites for external use, which in turn collect data from Power Apps via Open Data Protocol (OData) APIs.
The API uses Power Apps lists, which are the Power Apps configuration used to expose records for display on portals.
Lists pull data from tables, and limiting access to the list data that a user can see requires enabling Table Permissions.
“To secure a list, you must configure Table Permissions for the table for which records are being displayed and also set the Enable Table Permissions Boolean value on the list record to true,” Microsoft explains in its documentation. If those configurations are not set and the OData feed is enabled, anonymous users can access list data freely.
Power Apps portals have options built-in for sharing data, but they also have built-in data types that are inherently sensitive.
In this case, UpGuard found four separate portals with lists called “msemr_appointmentemrset” used for storing information about people setting medical appointments, strongly suggesting this is a schema in the Power Apps catalog rather than one that separate users all came up with.
Power Apps Portals lists are created to display data from tables. These tables are stored within Microsoft Dataverse. When a developer enables the OData feed on the “OData Feed” list settings tab, they must also activate the “Enable Table Permissions” option on the “General” list settings tab unless they wish to make the OData feed public.
This is due to all lists having table permissions disabled by default. Table permissions by default will in fact prevent anonymous data access, but lists ignore these permissions and any custom table permissions unless the developer activates table permissions for the list.
The vulnerability issue involving the Power Apps portals was first discovered by UpGuard on May 24, 2021.
“Among the examples of sensitive data exposed via OData APIs were three Power Apps portals used by American governmental entities to track COVID-19 tracing or vaccination and a portal with job applicant data including Social Security Numbers,” UpGuard said in a blog post.
“We mentioned that these instances were examples of a broader pattern, with a significant number of Power Apps portals configured to allow anonymous access to lists and exposing PII as a result.”
The company submitted a vulnerability report to the Microsoft Security Resource Center (MSRC) on June 24, 2021. Microsoft promptly began to investigate the issue and closed the case on June 29, 2021, informing UpGuard that they had “determined that this behavior is considered to be by design.”
In August, the Redmond giant released an update to make APIs enabled as private by default. It also rolled out a tool to help Power Apps users check the security settings of their portals.
“Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs,” said a Microsoft spokesperson.
UpGuard agrees with Microsoft’s standpoint that the issue is not strictly a software vulnerability, it is a platform issue that “requires code changes to the product.”
“It is a better resolution to change the product in response to observed user behaviors than to label systemic loss of data confidentiality an end-user misconfiguration, allowing the problem to persist and exposing end users to the cybersecurity risk of a data breach,” UpGuard said.
“Ultimately, Microsoft has done the best thing they can, which is to enable table permissions by default and provided tooling to help Power Apps users self-diagnose their portals.”
