Cause 38 Million Microsoft Power App User Data Revealed Publicly
JAKARTA - Microsoft is again having problems regarding the security of its services. This time around 38 million data from Microsoft's Power App platform was left open to the public for months. This is because Power App has weak default security settings.
A study from the cybersecurity company UpGuard showed that some Power App users did not secure their databases, as quoted from Windows Central, Tuesday, August 24.
Further investigation revealed that the data leak came as a result of an organization using Microsoft's Power Apps. The platform can be used to create websites and manage data, but misconfigured it can result in security risks.
Power Apps can be used to manage data that organizations want to publish, such as the location of vaccination centers, as well as data that must remain private, such as social security numbers. Default settings for Power Apps make data publicly accessible until the latest changes from Microsoft
The data that was left open came from sources such as American Airlines, Ford, New York public schools, and several states' COVID-19 contact tracing databases.
"We came across one of these that was misconfigured to expose data and we thought, we've never heard of this, is this a one-time issue or is this a systemic issue? Because of how the Power Apps portal product works, it's really easy to do a quick survey. We found there was a huge amount of exposure. It was wild," said UpGuard VP Cyber Research Greg Pollock.
UpGuard started investigating a large number of supposedly private Power App portals in May 2021, even apps created by Microsoft were misconfigured. However, although it is open to the public, no data is known to have been stolen.
The crux of the problem lies in the default security settings. For example, when setting up a Power App and connecting an API, the platform by default makes the associated data publicly accessible. Thanks to an update in August, Power Apps will use the default settings to keep data safe.
The data exposed included multiple COVID-19 contact tracing platforms, vaccination registrations, job application portals, employee databases and more.
"While we understand (and agree with) Microsoft's position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and as such should fall within the same workflow as the vulnerability," an UpGuard representative said. .
"It is a better resolution to change the product in response to observed user behavior than to label the systemic loss of data confidentiality as an end-user misconfiguration, which allows the problem to persist and exposes end users to cybersecurity risks from data breaches." .