38 million records exposed by misconfigured Microsoft Power Apps. Redmond's advice? RTFM


Forty-seven government entities and privacy companies, including Microsoft, exposed 38 million sensitive data records online by misconfiguring the Windows giant's Power Apps, a low-code service that promises an easy way to build professional applications.

Security biz UpGuard said that in May one of its analysts found that the OData API for a Power Apps portal offered anonymously accessible database records that included personal details. That led the security shop to look at other Power Apps portals and its researchers found over one thousand apps configured to make data available to anyone who asked.

Among the entities identified by UpGuard are: state and municipal government bodies in Indiana, Maryland, and New York City, and private enterprises like American Airlines, Ford, JB Hunt, and Microsoft. There's no indication so far that information has been misused. It was merely publicly accessible up until UpGuard's disclosures prompted those affected to respond.

Power Apps provides a way for those who are not professional coders to build custom business applications that interact with data from Microsoft Dataverse or other online and on-premises data sources like SharePoint, Microsoft 365, Dynamics 365, SQL Server, and the like. And through Power Apps portals, Microsoft customers can create a public website to make their app data available.

These portal websites fetch data from Power Apps via Open Data Protocol (OData) APIs. The API uses Power Apps lists, a way to render a list of database records. A list is essentially a query made to a specific database table, combined with additional parameters and attributes.

As Microsoft explains in its documentation, "To secure a list, you must configure Table Permissions for the table for which records are being displayed and also set the Enable Table Permissions Boolean value on the list record to true."

But as UpGuard's researchers found, many organizations didn't do so and that made their Power Apps portal lists accessible to anyone. On June 24, UpGuard reported its findings to Microsoft.

"Among the examples of sensitive data exposed via OData APIs were three Power Apps portals used by American governmental entities to track COVID-19 tracing or vaccination and a portal with job applicant data including Social Security Numbers," UpGuard said in a blog post. "We mentioned that these instances were examples of a broader pattern, with a significant number of Power Apps portals configured to allow anonymous access to lists and exposing PII as a result."

Microsoft looked into the report and concluded that its software's proclivity for publishing data without protection isn't a security flaw.

"On Tuesday June 29, the case was closed, and the Microsoft analyst informed us that they had 'determined that this behavior is considered to be by design'," UpGuard explained.

As Apple co-founder Steve Jobs might have put it, the forty-seven entities that left their data in plain sight should "just avoid holding it in that way," or in this case, should just avoid withholding list data controls.

In an email to The Register, a Microsoft spokesperson offered a variation on that theme: "Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs."

Microsoft nonetheless has taken steps to lower the security bar to a level more suitable to low-code apps by changing Power Apps portals to enable table permissions by default rather than assuming the user will opt-in to security. The company also tweaked its documentation page that previously presented advice in purple Note boxes by adding a pink Caution warning: "Use caution when enabling OData feeds without table permissions for sensitive information."

UpGuard's findings were not universally welcomed: Acknowledging last week that "data from the state’s COVID-19 online contact tracing survey was improperly accessed," Tracy Barnes, chief information officer for the State of Indiana, suggested the data exposure followed from UpGuard profiteering.

"The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business," said Barnes.

UpGuard in its post disputed Barnes' insinuation and challenged the Indiana Department of Health to release the agency's recording of the conference call in which UpGuard discussed its findings with state officials.

"During five years of sending data breach notifications, UpGuard has never approached Indiana or any other company notified of a breach for business, and there is no merit to Mr. Barnes's statement," said UpGuard.

Following its initial disclosure to Microsoft, UpGuard found several of Microsoft's own Power Apps portal sites were exposing data. The Global Payroll Services Portal, used for handling payroll questions until being deprecated last year, had 332,000 exposed contacts, with their Microsoft email, full name, phone number, employee ID, and other data fields. The situation was similar for two portals related to Business Tools Support, three Mixed Reality portals, and an Azure China portal operated by 21Vianet.

It is a better resolution to change the product in response to observed user behaviors than to label systemic loss of data confidentiality an end-user misconfiguration

The Register asked Microsoft to elaborate on its emailed statement by letting us know whether the company is aware of any of its exposed data being misused. Microsoft declined to comment further.

UpGuard said while it understands Microsoft's position that this isn't strictly speaking a security vulnerability, it supports code changes that minimize these sorts of issues.

"It is a better resolution to change the product in response to observed user behaviors than to label systemic loss of data confidentiality an end user misconfiguration, allowing the problem to persist and exposing end users to the cybersecurity risk of a data breach," the security biz said.

In a post to LinkedIn, Jukka Niiranen, co-founder of Forward Forever, a Power Platform consultancy, offered a similar assessment.

"Whenever I present to customers the different types of Power Apps types, I try to get the message across that Portals aren't something you want to try and build with a 'citizen developer' skillset," said Niiranen. "The world of complexity that lies behind the product is scary even for many xRM veterans like myself." ®