A flaw in Microsoft’s PowerApps platform left some 38 million records exposed from a thousand both 1st party and 3rd party apps, including Covid-19 contact tracing and vaccine sign up apps, job application portals, and apps from American Airlines, Ford, New York’s MTA, and more.
Beginning in May, according to a report in Wired, flaws were found in a number of Power Apps portals by researchers from UpGuard, a security firm. “None of the data is known to have been compromised,” and the flaw in Power Apps has since been fixed, but it’s still not a good look for Microsoft or the PowerApps platform, which has been touted as an easy way for organizations to quickly build apps without needing a lot of coding or development work.
UpGuard first noticed that platform had misconfigured security settings, and then dug in more to find a systemic problem with PowerApps:
In addition to managing internal databases and offering a foundation to develop apps, the Power Apps platform also provides ready-made application programming interfaces to interact with that data. But the Upguard researchers realized that when enabling these APIs, the platform defaulted to making the corresponding data publicly accessible. Enabling privacy settings was a manual process. As a result, many customers misconfigured their apps by leaving the insecure default.
Microsoft has taken steps to mitigate the issues:
At the beginning of August, the Microsoft announced that Power Apps portals will now default to storing API data and other information privately. The company also released a tool customers can use to check their portal settings. Microsoft did not respond to a request from WIRED for comment.