Microsoft Power Apps Data Leak Impacts 38 Million People

A security research team uncovered a a problem with the default permissions settings in an app-building tool from Microsoft.

The tool at the centre of the data leak scare is called Microsoft Power Apps, and the problem was originally discovered in May by the security research team at UpGuard.

UpGuard found that the default permissions settings in Microsoft Power Apps were to blame for exposing the data of 38 million people online.

Data leak

Unfortunately, it seems that the exposed data includes names, email addresses, phone numbers, social security numbers, and Covid-19 vaccination status.

“The UpGuard Research team can now disclose multiple data leaks resulting from Microsoft Power Apps portals configured to allow public access – a new vector of data exposure,” wrote the researchers in the blog post.

“UpGuard notified 47 entities of exposures involving personal information, including governmental bodies like Indiana, Maryland, and New York City, and private companies like American Airlines, J.B. Hunt, and Microsoft, for a total of 38 million records across all portals,” it added.

In late June UpGuard notified Microsoft of the issue, but it closed the investigation after a few days as it felt the flaw was “by design” and not an actual security breach.

Microsoft however did eventually did take follow up actions, and at some point, Redmond notified government cloud customers of this issue.

The software giant also released a tool for checking Power Apps portals and planned changes to the product so that table permissions will be enforced by default.

And the good news is that there is no evidence of the data being exploited.

“While we understand (and agree with) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities,” said the researchers.

Vendor responsibility

At least one security expert noted that vendors have to take responsibility for ensuring that their solutions are secure by design.

“All organisations should be working hard to ensure that sensitive customer and employee data remains secure and protected,” noted Matt Aldridge, lead solutions consultant at Webroot.

“This is important as, in this case, the sheer amount and quality of data exposed could make for extremely targeted social engineering attacks if it were to end up in the wrong hands,” said Webroot.

“For example, being able to incorporate details such as Covid vaccination status can enable cybercriminals to create exceptionally plausible phishing attacks against the employees of the organisations affected, helping fuel future attacks,” said Webroot.

“Vendors also must take responsibility for ensuring that their solutions are secure by design, and they should not expect their users to be aware of the nuances of configuring a secure solution, particularly when they are making a solution which is very easy to use for their customers,” noted Webroot.

“Fortunately, in this case the data exposure was found by security researchers, who responsibly disclosed the issues to those affected, but it could easily have been cybercriminals making this discovery and walking away with millions of high-quality personal data records,” he said.

“From a reputation protection standpoint, being in the spotlight for data protection transgressions and data breaches is not good for business,” said Webroot. “This story serves as a reminder for all organisations to invest appropriately in data protection and cyber defences, and wherever possible to ensure that they have their approach validated by trusted independent third parties.”

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

WeChat Fixes Content ‘Glitch’ Amidst Regulatory Pressure

Tencent fixes 'loophole' that allowed Bing and Google to temporarily display WeChat results, as China…

4 hours ago

REvil Hacking Gang Forced Offline In Multi-Country Operation

Law enforcement and intelligence agencies in the US and partner countries hack REvil's infrastructure and…

4 hours ago

Snap Shares Slump On Apple Privacy Disruption

Shares in Snapchat developer Snap drop after it projects prolonged slump in ad revenues from…

5 hours ago

Italy ‘Negotiating With Intel’ Over 4bn Euro Chip Plant

Italy reportedly preparing offer to Intel over plans for 4bn advanced microprocessor packaging plant, part…

5 hours ago

Robot Artist Freed By Egyptian Customs After Spy Detention

Ai-Da, a robot that uses artificial intelligence to create art, was detained by Egyptian customs…

6 hours ago

Amazon Faces Fresh Union Drive In New York City

More than 2,000 Amazon warehouse workers in New York City sign union cards, as company…

6 hours ago