Microsoft Power Apps misconfiguration exposes 38 million data records

[RV_]

This is a serious breach and even includes Microsoft but only for their employees. I'll post the more layperson's terms article first. However despite the second art6icle's tech gobbeldygook some of which I was not getting, if you scroll down to the details of each known breached company etc it is easy for anyone to see if it affects them.

Excerpt:

"The data leaks impacted American Airlines, Microsoft, J.B. Hunt and governments of Indiana, Maryland and New York City, says Upguard.

Sensitive data including COVID-19 vaccination statuses, social security numbers and email addresses have been exposed due to weak default configurations for Microsoft Power Apps, according to Upguard.

Upguard Research disclosed multiple data leaks exposing 38 million data records via Microsoft Power Apps portals configured to allow public access.

The data leaks impacted American Airlines, Microsoft, J.B. Hunt and governments of Indiana, Maryland and New York City. Upguard first discovered the issue involving the ODdata API for a Power Apps portal on May 24 and submitted a vulnerability report to Microsoft June 24.

According to Upguard, the primary issue is that all data types were public when some data like personal identifying information should have been private. Misconfiguration led to some private data being surfaced.

Microsoft Power Apps are low-code tools to design apps and create public and private web sites."

That article which is sparse is here:

https://www.zdnet.com/article/microsoft-power-apps-misconfiguration-exposes-38-million-data-records/?ftag=TRE-03-10aaa6b&bhid={%24external_id}&mid={%24MESSAGE_ID}&cid={%24contact_id}&eh={%24CF_emailHash}

 

Excerpt from the second article by the company that found the vulnerabilities:

"By Design: How Default Permissions on Microsoft Power Apps Exposed Millions Published Aug 23, 2021

The UpGuard Research team can now disclose multiple data leaks resulting from Microsoft Power Apps portals configured to allow public access - a new vector of data exposure. The types of data varied between portals, including personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses. UpGuard notified 47 entities of exposures involving personal information, including governmental bodies like Indiana, Maryland, and New York City, and private companies like American Airlines, J.B. Hunt, and Microsoft, for a total of 38 million records across all portals. This research presents an example of a larger theme, which is how to manage third-party risks (and exposures) posed by platforms that don't slot neatly into vulnerability disclosure programs as we know them today, but still present as security issues.

Notification to affected entities

We had discovered over a thousand anonymously accessible lists across a few hundred portals that needed to be analyzed and potentially notified. Ideally, Microsoft would have been involved in doing so, but our attempt to pursue this option thus far had been unsuccessful– though Microsoft would later take action after we had notified some of the most severe exposures. We spent the next few weeks analysing the data for indicators of sensitivity and reaching out to affected organizations. The notification timelines and data classes for some of the most significant exposures are described below to give a sense of the prevalence and impact of this design decision."

The details can be found easily understandable if you go to the link below and scroll down to: "Notification to affected entities" The details are below that heading here:

https://www.upguard.com/breaches/power-apps