Microsoft power apps have exposed 38 million sensitive data records including COVID-19 vaccination statuses.
Sensitive data including COVID-19 vaccination statuses, social security numbers and email addresses have been exposed due to weak default configurations for Microsoft Power Apps, according to Upguard.
Upguard Research disclosed multiple data leaks exposing 38 million data records via Microsoft Power Apps portals configured to allow public access. The data leaks impacted American Airlines, Microsoft, J.B. Hunt and governments of Indiana, Maryland and New York City. Upguard first discovered the issue involving the OData API for a Power Apps portal on May 24 and submitted a vulnerability report to Microsoft on June 24.
Private data was exposed.
According to the research, the primary issue is that all data types were public when some data like personal identifying information should have been private. Misconfiguration led to some private data being surfaced.
Since its findings, the company has reached out to Microsoft and other affected portals. It submitted a vulnerability report to the Microsoft Security Resource Center on June 24, 2021. However, it notes that Microsoft did not take any serious action until after it notified some of the portals that suffered from the most severe exposures. Many of Microsoft’s own portals were also affected by the security lapse.
Since getting into action, Microsoft has now enabled table permissions by default for Power Apps portals.
It even released a tool for the Power Apps users to self-diagnose their portals. The company even notified its government cloud customers of this issue, the consequent changes of which were observed later. Microsoft Power Apps are low-code tools to design apps and create public and private websites.