Microsoft Power Apps Leak Data for 38 Million Users
Table of Contents
- By Dawna M. Roberts
- Published: Oct 27, 2021
- Last Updated: Mar 18, 2022
Microsoft is in the news again with another data leak researchers are calling a “flaw,” but the company denies any issue with the Power Apps platform.
What is Going On?
Microsoft Power Apps bug leaks data for 38 million customers with hundreds of misconfigured online portals exposed. According to Threatpost,
“Data leaked includes COVID-19 vaccination records, Social Security numbers and email addresses tied to American Airlines, Ford, Indiana Department of Health and New York City public schools.”
As described by Microsoft, Power Apps are a “suite of apps, services, and connectors, as well as a data platform, that provides a rapid development environment to build custom apps for your business needs.” Developers often use Power Apps and store information in the cloud during app development.
On Monday, UpGuard Research discovered that Microsoft’s Power Apps had inadvertently leaked data from 47 separate businesses. Researchers found 38 million leaked records. The issue was found to be a flaw in Power Apps “in the way it forced customers to configure their data as private or public.”
UpGuard discovered the problem in June and notified 47 companies of the danger of their exposed data. When UpGuard notified Microsoft, the company responded that it was “by-design behavior,” and not a flaw at all.
How Did Microsoft Respond?
Microsoft commented that they do not see the issue as a bug but simply a configuration issue that may need some customization down the road.
Data Breach Today reported that,
“Microsoft has now changed a default setting in Power Apps to make using the service more secure and less likely to inadvertently expose data. Prior to the change, the company had warned in its Power Apps documentation of the danger of unsecured configurations, but that apparently went unnoticed.”
What Was Found in the Leak?
According to Threatpost, threat researchers found the following information along with the data mentioned above.
“American Airlines: A collection of 398,890 “contact” records, which included full names, job titles, phone numbers, and email addresses. A second “test” collection of data included 470,400 records, which included full names, job titles, phone numbers, and email addresses.
Denton County, TX: A total of 632,171 records spilled included vaccination types, appointment dates and times, employee IDs, full names, email addresses, phone numbers, and birth dates. “The list ‘contactVaccinationSet’ had 400,091 records with fields for full names and vaccination types, and ‘contacts’ had 253,844 records with full names and email addresses,” researchers wrote.
J.B. Hunt Transport Services: The transportation logistics firm made public 905,228 records that included customer full names, email addresses, physical addresses, and phone numbers. Over a quarter-million of the records also included the US Social Security numbers.
Microsoft’s own The Global Payroll Services Portal: Researchers found 332,000 records of Microsoft employees and contractors with their @microsoft.com email address, full name, and phone numbers that appear to be for personal use.”
In its public disclosure, UpGuard mentioned that,
“In cases like registration pages for COVID-19 vaccinations, there are data types that should be public, like the locations of vaccination sites and available appointment times, and sensitive data that should be private, like the personally identifying information of the people being vaccinated.”
The bottom line is the issue stems from the Open Data Protocol (OData) and PowerApps API. “If those configurations are not set, and the OData feed is enabled, anonymous users can access list data freely,” researchers wrote.
Threatpost explains that,
“More specifically, they focused on how data (such as personally identifiable information, or PII) is stored and formatted into “Table Permissions” for sharing – or not. The crux of the issue boiled down to configuration settings that instruct a PowerApps user to “set the Enable Table Permissions Boolean value on the list record to true.”
Note to Power Apps Users
Users of Microsoft’s PowerApps should be careful to set any data that contains personal information to private or risk exposure of it is publicly available online.