Researchers at UpGuard have discovered a huge amount of sensitive data have been exposed over the Internet due to default permissions not being changed on a tool developed by Microsoft for building apps. The researchers discovered many Microsoft Power Apps portals had not had the default settings changed, which were set to public access.
An investigation was launched by the researchers in May 2021 after the discovery of one leaking portal. The investigation revealed this was a systemic issue and many Power Apps portals were leaking data, when it was clear from the data they contained that they should be private.
During the course of the investigation the researchers identified exposed data from companies such as Ford and American Airlines, as well as a COVID-19 vaccination and contact tracing information, including one database maintained by the Indiana Department of Health. In total, 47 apps had not had the default settings changed and the data of 38 million individuals were exposed.
Employee databases had been exposed that contained home addresses, phone numbers, email addresses, Social Security numbers, vaccination statuses, information about vaccination appointments, and data related to contact tracing efforts. Around 332,000 email addresses and Microsoft employee IDs used for payroll were included in the exposed data, along with 39,000 Microsoft Mixed Reality records that included names and email addresses.
The Power Apps service, provided by Microsoft, is used by many companies for building mobile and web apps. Application Programming Interfaces (APIs) are provided to developers, which can be used with any data collected. When those APIs are used, they automatically make data obtained public unless the default settings are changed.
UpGuard reported the issue to the Microsoft Security Resource Center, which investigated but closed the case as the apps were making data public by design, rather than this being a security vulnerability. Most of the companies notified about the exposure of data have now changed the default settings and have made their data private. There is no indication that any of the exposed data have been misused.
Microsoft has now changed its default settings to private. Manual reconfiguration is now required to make data public. Microsoft has also released a tool for users of Power Apps to check to whether data collected through the apps are public or private.
Microsoft maintains that any exposure of data was the fault of users of the service for failing to configure it properly, but when a service is developed that is intended to make it easy for people with little experience to create apps, adopting a privacy-by- design approach would have made more sense.