Microsoft Power Apps misconfiguration exposes 38 million records

The Microsoft Power Apps service on a smartphone
(Image credit: Shutterstock)

Default settings on Microsoft Power Apps portals have led to several data leaks, with 38 million records held by 47 entities, including government bodies and corporations, inadvertently made publicly available.

Microsoft Power Apps is a suite of tools and services, as well as a central data platform, that provides a rapid development environment for organisations to build custom apps to suit their particular needs. Power Apps portals are a way to create public websites that give internal and external users access to data.

The type of data exposed varies between the portal, according to research published by UpGuard, and includes sensitive information used for COVID-19 contact tracing, vaccine appointments, and US social security numbers. The exposed data also includes names and email addresses.

Various entities swept up in the leaks include local US governmental bodies such as Indiana, Maryland and New York City, as well as private companies like American Airlines, JB Hunt, as well as Microsoft itself.

“While we understand (and agree with) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities,” the researchers said.

“It is a better resolution to change the product in response to observed user behaviours than to label systemic loss of data confidentiality an end user misconfiguration, allowing the problem to persist and exposing end users to the cybersecurity risk of a data breach."

The problem lies with Open Data Protocol (OData) APIs, which retrieves data from Power Apps lists which, in turn, pull data from tables and limit access to the list data that a user can see based on table permissions.

Product documentation for Power Apps describes the conditions under which OData APIs can be made publicly accessible, with marketing material suggesting organisations can access their data anonymously or through commercial authentication.

If, however, configurations are not set and the OData feed is enabled, anonymous users can access list data freely. The number of accounts exposing sensitive data reveals the risk attached to this feature and the likelihood of misconfiguring permissions, which hasn’t been fully appreciated until now.

Adding to concerns is the fact that various security reviews conducted by some of the affected entities didn’t catch these misconfigurations.


Don’t just educate: Create cyber-safe behaviour

Designing effective security awareness and training programmes


UpGuard first identified this issue on 24 May and conducted some analysis to determine how serious the issue was. The security firm then submitted a vulnerability report to Microsoft on 24 June, including steps to identify OData feeds that allowed anonymous access to list data, and URLs for accounts exposing sensitive information.

On 29 June, the case was closed and a Microsoft analyst informed UpGuard researchers that the firm had determined this behaviour is considered to be by design.

After UpGuard began informing affected entities that their data might be exposed, and after finding instances of Microsoft data caught out by this misconfiguration, the firm learned that Microsoft did eventually take action.

Microsoft notified government cloud customers of this issue, and also released a tool for checking Power Apps portals. The firm has also planned changes to the product so that table permissions will be enforced by default.

"For anyone who digitally processes sensitive information– that is, virtually all companies and government bodies– being prepared for a notification of a data leak or other incident will improve outcomes,” UpGuard continued.

“In some cases, we struggled to get in contact with anyone who would remediate the issue. Providing a designated privacy contact on an easily searchable web page improves that part of the response process.

“Finally, technology leaders should have a general understanding of the phenomenon of data exposures. As more information is moved online, the frequency of sensitive data being made publicly available increases.”

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.