Microsoft’s Power Apps Portal were left exposed online as per researchers that had led to approximately 38 million records being leaked. The said data contains COVID-19 contact tracing efforts data, vaccine registrations and employee databases, such as home addresses, phone numbers, social security numbers and vaccination status.
Data breach came from some large companies and institutions that unfortunately exposed the said information in this incident, which include American Airlines, Ford, Indiana Department of Health and New York City public schools. The vulnerability has been fixed as of this writing.
Security researchers from Upguard have started to investigate on the said issue since May. They discovered that data from many Power Apps portal was supposed to be private was available for anyone to access if they knew where to look.
The Power Apps service was intended to make it as easy as possible for customers to make their own web and mobile applications. This makes application programming (API’s) for web developers to use with the data they collect. Data obtained through Power Apps Portals public by default, and manual reconfiguration was required to keep the information private.
The Upguard team has sent a detailed vulnerability report to Microsoft Security Resource Center last June 24th. They have also included links to Power Apps Portals accounts from which sensitive data was exposed including the steps how to identify APIs that enabled anonymous data access.
Researchers worked with Microsoft to clarify how to reproduce the issue. However, an Microsoft analyst told the firm on June 29th that the case was closed and they “determined that this behavior is considered to be by design.”
Upguard took the initiative to notify the affected companies and organizations, which eventually moved to lock down their data. An abuse report with Microsoft was filed on July 15th and by July 19th, most of the data from the Power Apps in question including the most sensitive information has been made private.
“Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.” as per Microsoft’s Statement.
Microsoft Power Apps portals apps will keep data private by default when developers harness the APIs. Microsoft has released a tool for developers to check their settings.
This may seem as some sort of misconfiguration. It may seem minor, but the implication can lead to a serious data breach. However, it is really not the case. This just clearly shows that software developers need to thoroughly test and probably triple check their settings when plugging in API that they have not designed themselves.
According to Upguard, there has been no indication as yet that any of the exposed data has been compromised. Among the most sensitive information that was left in the open were 332,000 email addresses and Microsoft employee IDs that are used for payroll, The company also says that more than 39,000 records from portals related to Microsoft Mixed Reality were exposed, including users’ names and email addresses.
At any rate, as regular computer users, how are we sure that our data is always secure?