Microsoft Power Apps, a low code application development. Platform, Was recently discovered to contain one. API A design flaw that exposed more than 38 million records from organizations, including governing bodies and large corporations, led to a detailed review of sensitive customer data such as social security numbers and COVID-19 vaccination status. Although no information is available about the leaked data, this access to extensive data was not entirely an accident based on the reporting of UpGuard, the security research firm that first discovered the threat.
Although Microsoft’s Power Apps platform provides thousands of services for application development, it was Microsoft’s data and data storage service that was at the root of the problem. Architecturally, Datawars is a basic data technology used to power data-driven websites created by Microsoft users using the portal feature of the Power Apps platform. However, in order to communicate programmatically with the same data outside the client portal environment (for example: via mobile or web app), users can enable OData-based (Open Data Protocol) APIs of the database. Are In doing so, however, any customer who activates these OData APIs inadvertently accesses basic data anonymously. In other words, these APIs were insecure by default. API Documentation. It was noted that the data will be publicly accessible unless developers take additional steps to manually update privacy standards. But without digging into the documentation, users were unaware that by activating these APIs, they were inadvertently exposing their databases to the public.
The vulnerability was first discovered when a security research firm, UpGuard, launched an investigation into various Microsoft Power apps that exposed an astonishing amount of customer data that was generally limited. Greg Pollock, vice president of cyber research at UpGuard, explained the revelation to Wired in a recent interview:
“We found one that was misconfigured to expose the data and we thought we’d never heard of it, is it something or is it a systemic issue?” Because of the way the app portal product works, it’s easy to survey quickly. And we discovered that many of them are exposed. It was wild. “
UpGuard revealed the discovery to Microsoft shortly after the investigation began and said that Microsoft had responded with a statement stating that “they have determined that this behavior is considered design.” ۔ ” Reporting its weakness, the news organization CNN noted that “Microsoft did not engage in any controversy. [Upguard’s] the account [of that reply] CNN, and New York City, and private companies such as American Airlines, Ford, JB Hunt, and Microsoft itself. In addition to social security numbers and the CoVid 19 vaccination status, UpGard noted that the issue also exposed a large number of names, email addresses, and employee IDs associated with job applications.
Eventually, Microsoft surrendered and took follow-up action, which included notifying government cloud users of the issue and issuing a. Portal A checker that helps determine if data is open for anonymous access.
The most surprising part of this design failure is that Microsoft would expect users of low-code development platforms to search API documents thoroughly for security risks. UpGuard’s article outlines his research and summarizes this finding:
Experimental evidence suggests that a warning in the technical documentation is not enough to avoid the serious consequences of misconfiguring OData list feeds for power apps portals. Our conversations with the agencies we reported suggested the same outcome. “
In addition, the security researchers outlined the steps that should have been taken to properly protect the data exposed by the API.
“… you need to configure the table permissions for the table for which the records are being displayed and also set the table permissions boolean value to enable list records if they are not configuration sets and OData. feed Enabled, anonymous users can freely access list data.
UpGuard noted that since the issue was reported, the majority of Microsoft users have now saved the previously exposed data.