[German]I've been waiting for something like this to happen for a while now. Misconfigured Microsoft Power Apps exposed 38 million records of sensitive data. Forty-seven government agencies and companies are affected, as security researchers at UpGuard discovered in May 2021 and have now disclosed.
Advertising
Microsoft Power Apps
Power Apps is a component of the Microsoft Power Platform, which also includes Microsoft Power Automate and Power BI. The product is used to create "low-code" business intelligence apps that are hosted in the cloud. Power Apps portals are a way to create a public website to "provide both internal and external users with secure access to your data."
Power Apps supports a wide range of connectors to leverage data from sources such as SharePoint, Microsoft Dynamics 365, Salesforce or other third-party systems. Users can create sites in the Power Apps user interface with application features such as user authentication, forms for user data entry, data transformation logic, storage of structured data and APIs for other applications to retrieve that data.
Configuring applications does not require developer skills. This is how the solution is promoted by Microsoft – virtually anyone can develop apps without much knowledge. Portals provide a public website for interaction with these applications. Typically, a business unit or government agency uses a portal as an interface to a specific audience such as customers, distributors, employees, or citizens.
Broken by Design
But whenever it says "You don't need any knowledge to do this or that", the next accident is not far. I had rather expected "Power Apps will be discontinued" or "There has been a serious vulnerability found in Power Apps". Now, however, the default settings in the environment in question have been tricking users' to expose data.
Security researchers from Upguard came across several data leaks in the Microsoft Power Apps portals in May 2021, which they have now disclosed in this article. The problem: Microsoft Power Apps portals were configured to allow public access. This must have been the default setting when the portals were set up. The whole thing allowed a new vector for data leaks, as unauthorized third parties could access the publicly shared data.
Advertising
OData API configuration
The Power Apps have an option to enable OData APIs (Open Data Protocol). Using these APIs to retrive data from Power Apps lists is possible. Power Apps lists represent the Power Apps configuration used to "expose records for display in portals". The lists retrieve data from tables. To restrict access to list data for a user, table permissions must be enabled and configured. Specifically, to protect a list, users must configure table permissions for the table for which the records may be displayed. Also, the Boolean value for the table permissions in the list record must be set to true. If these configurations are not set and the OData feed is enabled, anonymous users can access list data without hindrance.
38 million records publicly exposed
On May 24, 2021, an UpGuard analyst first discovered that the OData API for a Power Apps portal contained anonymously accessible list data, including personally identifiable information. The owner of that app was notified and the data was secured. This case led to the question of whether there are other portals with the same situation – the combination of configurations that allow anonymous access to lists via OData feed APIs and sensitive data collected and stored by the apps.
Upguard's security researchers then encountered a lot more data leaks in the Microsoft Power Apps portals with sensitive data that was publicly available. The type of data exposed varied from portal to portal. Very personal information used for COVID-19 contact tracking, COVID-19 vaccination dates, social security numbers of job applicants, employee IDs and millions of names and email addresses were found.
UpGuard security researchers identified and reported 47 posts where personally identifiable information was publicly viewable. Among the 47 sites were government agencies such as Indiana, Maryland and New York City, as well as private companies such as American Airlines, J.B. Hunt and Microsoft. In total, 38 million records were accessible across all affected portals.
Microsoft: This is by design, RTFM
On Thursday, June 24, 2021, Upguard security analysts submitted a vulnerability report to the Microsoft Security Resource Center. On Tuesday, June 29, the case was closed, and the Microsoft analyst told security researchers that they "determined that this behavior is considered intentional." In other words, the users who cobbled together the apps were to blame.
In the aftermath, the security researchers analyzed the discovered over a thousand anonymously accessible lists in a few hundred portals and then notified their owners. It would have been more ideal if Microsoft had been involved in this process. But the first attempt was unsuccessful – later Microsoft took action after the security researchers reported some of the most serious threats.
So security researchers spent weeks analyzing the data for indicators of sensitivity and contacting the affected organizations. In the linked article, the security researchers described some of the details for some of the most serious cases. For example, American Airlines was affected with its "Contacts" collection. This contained 398,890 records that included full names, job titles, phone numbers and email addresses. The "Test" collection contained 470,400 records, which included full names, job titles, phone numbers and email addresses. The details can be read in this article. Wired also published this article on the topic.
