A configuration issue with a popular Microsoft development platform has exposed tens of millions of sensitive customer records, including those containing COVID-19 information, according to researchers.
Microsoft Power Apps enables “citizen developers” to create mobile and web-based apps for their businesses.
However, a team from UpGuard found that the portal for the platform was configured to allow public access in many cases, exposing at least 38 million records.
The issue stems from the Open Data Protocol (OData) APIs for retrieving data from Power Apps lists. This is the configuration used to “expose records for display on portals.”
“Lists pull data from tables, and limiting access to the list data that a user can see requires enabling Table Permissions,” explained UpGuard.
“‘To secure a list, you must configure Table Permissions for the table for which records are being displayed and also set the Enable Table Permissions Boolean value on the list record to true.’ If those configurations are not set and the OData feed is enabled, anonymous users can access list data freely.”
UpGuard said it first discovered the privacy issue in May. However, after securing one customer, it wondered whether others had lists set to be accessed anonymously via OData feed APIs, exposing sensitive data.
UpGuard said it found over a thousand anonymously accessible lists across several hundred portals. Among the organizations exposed in this way were American Airlines, Ford and multiple public sector entities.
“Among the examples of sensitive data exposed via OData APIs were three Power Apps portals used by American governmental entities to track COVID-19 tracing or vaccination and a portal with job applicant data including Social Security Numbers,” said UpGuard.
Microsoft eventually responded by notifying government customers of the issue and putting several mitigations in place to reduce the likelihood of accidental misconfiguration.