Microsoft’s Power Apps portals platform was unintentionally left unprotected online, prompting attention to an issue of a “new vector of data exposure” of more than 38 million records from 47 different entities.
Microsoft Power Apps is a browser-based platform that allows non-developers to build low-code personalized business apps by simply dragging and dropping objects to a Web browser. PowerApps targets business users and works across mobile and the web with options to retrieve and store information.
An analyst for UpGuard first discovered that the OData API for a Power Apps portal had anonymous accessible list data including personally identifiable information. UpGuard’s view that this isn’t precisely a software vulnerability, it is a platform issue that necessitates product code updates, and thus should be handled in the same way as vulnerabilities.
“The real scale of the issue is hard to assess. On one hand, it is obvious that headlines are overstating it: the majority of the exposed 38 million records did not include the most sensitive details like SSN or health information. Security researchers from UpGuard give some examples of data the exposed records included in their blog post. For the majority of records this was limited to names and email addresses. That said, more sensitive information was still exposed for at least hundreds of thousands of individuals. On the other hand, there is no way to be certain these records had not been harvested before UpGuard reported the issue to Microsoft and the application owners,” according to Ilia Sotnikov, VP of User Experience & Security Strategist at Netwrix.
Kenn White, director of the Open Crypto Audit Project, said it was a wakeup call for the industry as a whole. ‘Secure default settings matter,’ he told Wired. ‘When a pattern emerges in web-facing systems built using a particular technology that continue to be misconfigured, something is very wrong. ‘If developers from diverse industries and technical backgrounds continue to make the same missteps on a platform, the spotlight should be squarely on the builder of that platform.’
Ilia Sotnikov also said, “This news should hopefully lead to both vendors and companies to think more about the balance between time to market and security of their solutions. Power Aps allow to build and quickly launch no code or low code applications. Since this is hosted by Microsoft, this may create a false sense of security for a customer that just puts together the building blocks. Companies still must take time to learn the security features and the access model of the cloud platforms they use. They also should do at least basic threat modelling and security review for the applications they build and launch.”
“Hats off to the UpGuard team for their efforts not only to report the issue to the vendor (Microsoft), but working closely with affected parties to remediate the impact of potential exposure of sensitive data,” continued Netwrix VP of User Experience & Security Strategy. “Great way to handle security research and coordinate the response and disclosure efforts across multiple parties.”
The prevalence of sensitive data being leaked with more and more information moved online, increasing cyberattacks, and hackers around every corner, it is more important than ever that businesses need to extensively safeguard their IT department. Consistently it’s the “bad” news surrounding data breaches that we become aware of and not the good Samaritan offering a hand.
Image licensed by unsplash.com