Microsoft Power Apps Data Leak Impacts 38 Million People

A security research team uncovered a a problem with the default permissions settings in an app-building tool from Microsoft.

The tool at the centre of the data leak scare is called Microsoft Power Apps, and the problem was originally discovered in May by the security research team at UpGuard.

UpGuard found that the default permissions settings in Microsoft Power Apps were to blame for exposing the data of 38 million people online.

Data leak

Unfortunately, it seems that the exposed data includes names, email addresses, phone numbers, social security numbers, and Covid-19 vaccination status.

“The UpGuard Research team can now disclose multiple data leaks resulting from Microsoft Power Apps portals configured to allow public access – a new vector of data exposure,” wrote the researchers in the blog post.

“UpGuard notified 47 entities of exposures involving personal information, including governmental bodies like Indiana, Maryland, and New York City, and private companies like American Airlines, J.B. Hunt, and Microsoft, for a total of 38 million records across all portals,” it added.

In late June UpGuard notified Microsoft of the issue, but it closed the investigation after a few days as it felt the flaw was “by design” and not an actual security breach.

Microsoft however did eventually did take follow up actions, and at some point, Redmond notified government cloud customers of this issue.

The software giant also released a tool for checking Power Apps portals and planned changes to the product so that table permissions will be enforced by default.

And the good news is that there is no evidence of the data being exploited.

“While we understand (and agree with) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities,” said the researchers.

Vendor responsibility

At least one security expert noted that vendors have to take responsibility for ensuring that their solutions are secure by design.

“All organisations should be working hard to ensure that sensitive customer and employee data remains secure and protected,” noted Matt Aldridge, lead solutions consultant at Webroot.

“This is important as, in this case, the sheer amount and quality of data exposed could make for extremely targeted social engineering attacks if it were to end up in the wrong hands,” said Webroot.

“For example, being able to incorporate details such as Covid vaccination status can enable cybercriminals to create exceptionally plausible phishing attacks against the employees of the organisations affected, helping fuel future attacks,” said Webroot.

“Vendors also must take responsibility for ensuring that their solutions are secure by design, and they should not expect their users to be aware of the nuances of configuring a secure solution, particularly when they are making a solution which is very easy to use for their customers,” noted Webroot.

“Fortunately, in this case the data exposure was found by security researchers, who responsibly disclosed the issues to those affected, but it could easily have been cybercriminals making this discovery and walking away with millions of high-quality personal data records,” he said.

“From a reputation protection standpoint, being in the spotlight for data protection transgressions and data breaches is not good for business,” said Webroot. “This story serves as a reminder for all organisations to invest appropriately in data protection and cyber defences, and wherever possible to ensure that they have their approach validated by trusted independent third parties.”