38 million data records spilled by Microsoft power apps

Parv Kohli

August 23, 2021

Microsoft power apps is described as a service that enables users to build and use custom business apps that connect to their data and work across the internet. It saves them time and expenses for custom software development. The Microsoft Power apps portal has exposed personal data tied to 38 million records that included vaccination status, social security numbers, and email addresses for several months. UpGuard's researchers revealed that the power apps management portal had leaked data of around 47 businesses. The research revealed that the flaw lies in how the portal forces customers to configure their data as private or public.UpGuard says the leak was linked to how the power apps use open data protocol with its API. The data is categorized based on private or public access. For example, regarding the vaccination status, the data of vaccination sites needs to be publicly available, but the people's personal information must remain private. According to UpGuard, the crux of the issue boiled down to configuration settings that instruct a Power Apps user to "set the Enable Table Permissions Boolean value on the list record to true." The affected organizations include American Airlines, Ford, the Indiana Department of Health, New York City public schools, and even Microsoft's own The Global Payroll Services Portal. Since the disclosure of the issue, Microsoft has released a portal checker. A portal checker is a tool for checking for leaks as it can detect the lists that have anonymous access. More importantly, the new releases of the power apps will have tabled permissions enabled by default. Though the user can still change this setting, this update can significantly reduce the risks for future leaks.

Abridged fromThreat Post