38M Records Exposed via Microsoft Power Apps Misconfiguration38M Records Exposed via Microsoft Power Apps Misconfiguration
Researchers have notified 47 public and private organizations of data exposure from Power Apps configured to allow public access.
August 23, 2021
The UpGuard research team has disclosed multiple data leaks stemming from Microsoft Power App portals configured to allow public access. A total of 38 million records have been exposed.
Power Apps are used to build low-code, cloud-hosted business intelligence apps, and Power Apps portals are used to create public websites so internal and external users can gain access to an organization's data. The issue UpGuard is reporting involves the Open Data Protocol (OData) API that is designed to retrieve data from Power Apps lists, used to expose records for display on portals.
In its documentation for Power Apps portals, Microsoft warns OData feeds are public if they are misconfigured. If the correct configurations are not set and the OData feed is enabled, then list data can be freely accessed by anonymous users.
Researchers discovered this is the case for many organizations' data. On May 24, 2021, an UpGuard researcher found the OData API for a Power Apps portal had anonymously accessible list data, including personally identifiable information. A report was submitted to Microsoft on June 24.
UpGuard notified 47 organizations of exposures via the OData API involving personal data. Those affected include governmental bodies such as the state of Indiana, New York City Municipal Transportation Authority and NYC Schools, and the Maryland Department of Health, as well as private entities including American Airlines, Microsoft, and J.B. Hunt.
The types of exposed data vary depending on the portal but include personal data used for COVID-19 contact tracing, COVID-19 vaccination appointments, Social Security numbers for job applicants, employee IDs, and millions of names and email addresses.
Read UpGuard's full blog post for more information.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
What Ransomware Groups Look for in Enterprise Victims
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Everything You Need to Know About DNS Attacks
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
The Evolving Ransomware Threat: What Business Leaders Should Know About Data Leakage
The Cyber Threat Impact of COVID-19 to Global Business
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report