Microsoft Power Apps contributed to a data exposure of 38M people

The current cause for the disclosure of over 38 million people’s personal information is a Microsoft tool for developing applications. This information, which included names, email addresses, phone numbers, and Covid-19 vaccination appointments of people, was exposed when approximately 47 companies and government offices used Microsoft’s Power Apps platform to create more than a thousand apps, some of which were improperly permission by the platform.

Despite the fact that there is no evidence that the data was misused, the fact that no one was able to identify an issue of this magnitude that was present on several websites is concerning.

The vulnerability was discovered in May by a security research team named UpGuard. According to the team, over a thousand web apps have been created using the Microsoft Power Apps portal by organizations such as American Airlines, Ford, and the New York City Municipal Transportation Authority.

All of these apps had permission misconfigurations, which resulted in the portal making all of the data publicly available. Simply conducting a survey on the portal service may provide access to all of the information that these businesses and organizations entered into the system. Several of these Power Apps were developed by Microsoft specifically for its own use.

“We discovered one of these that had been incorrectly configured to expose data, and we wondered, ‘We’ve never heard of this before, is this a one-off thing or is this a systemic issue?’ Greg Pollock, vice president of cyber research at UpGuard, spoke with Wired about the company’s efforts.

“Because of the way the Power Apps portals product works, it is quite simple to conduct a survey in a short period of time. And we noticed that there are a large number of them that have been disclosed. It was a crazy ride.”

Microsoft has stated that the problem that allowed the data to be exposed has been resolved, but the incident raises important questions about how corporations handle the development of apps and the storage of data. Although it is unclear whether the companies were at fault for failing to set proper permissions when storing the data of their customers or whether it was Microsoft’s oversight that resulted in the data being exposed, one thing is clear: the data was exposed.

Microsoft blamed the firms that were utilizing the Power Apps, but if the individuals who were developing apps for Microsoft’s platform were so skilled at coding and handling permissions, they would not have needed Power Apps in the first place.

Power Apps enable businesses to develop tiny and functional apps without the need for coding skills, which is why many businesses rely on Microsoft’s site to create small apps. Companies may also use Power Apps to collect data that they already have and put it on the Power Apps site.

Following this incident, Microsoft modified the default settings of the Power Apps interface in order to prevent a similar data breach from occurring in the future.