Researchers have notified 47 public and private organizations of data exposure from Power Apps configured to allow public access.
The UpGuard research team has disclosed multiple data leaks stemming from Microsoft Power App portals configured to allow public access. A total of 38 million records have been exposed.
Power Apps are used to build low-code, cloud-hosted business intelligence apps, and Power Apps portals are used to create public websites so internal and external users can gain access to an organization's data. The issue UpGuard is reporting involves the Open Data Protocol (OData) API that is designed to retrieve data from Power Apps lists, used to expose records for display on portals.
In its documentation for Power Apps portals, Microsoft warns OData feeds are public if they are misconfigured. If the correct configurations are not set and the OData feed is enabled, then list data can be freely accessed by anonymous users.
Researchers discovered this is the case for many organizations' data. On May 24, 2021, an UpGuard researcher found the OData API for a Power Apps portal had anonymously accessible list data, including personally identifiable information. A report was submitted to Microsoft on June 24.
UpGuard notified 47 organizations of exposures via the OData API involving personal data. Those affected include governmental bodies such as the state of Indiana, New York City Municipal Transportation Authority and NYC Schools, and the Maryland Department of Health, as well as private entities including American Airlines, Microsoft, and J.B. Hunt.
The types of exposed data vary depending on the portal but include personal data used for COVID-19 contact tracing, COVID-19 vaccination appointments, Social Security numbers for job applicants, employee IDs, and millions of names and email addresses.
Read UpGuard's full blog post for more information.
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024