Microsoft’s Power Apps leaks data from 47 companies, report finds

Microsoft’s Power Apps platform exposed 38 million records of critical personal data of 47 organizations due to “platform issues,” a report by U.S.-based information security company, UpGuard revealed on Monday.

UpGuard’s research team disclosed various data breaches caused by Microsoft’s Power Apps platform, granting public access leading to the latest trail of data exposure. Leaked data extended from personal information meant for COVID-19 contract tracing and vaccination appointments, social security numbers for job applications, employees IDs, to millions of names and email addresses.

The research firm informed 47 organizations of the data leaks, including governmental entities such as Indiana, Maryland, and New York City, alongside private institutions such as American Airlines, J.B. Hunt, and Microsoft, leading to a colossal leak of 38 million on all the platform’s portals.

Microsoft’s Power Apps are identified as a “suite of apps, services, connectors and data platform that provides a rapid application development environment apps for your business needs.” The platform offers developers a bundle of Office 365 tools to build customized apps that share data locally or with the cloud for businesses of all sizes.

Categorically, the platform’s false configurations left immense quantities of data exposed to the web.

“The number of accounts exposing sensitive information, however, indicates that the risk of this feature – the likelihood and impact of its misconfiguration – has not been adequately appreciated,” the research stated.

It seems that the Big Tech giant misconfigured a vast number of its private Power Apps databases, leading to the exposure of a monumental amount of data. One of these databases included a “collection of 332,000 email addresses and employees IDs used for Microsoft’s payroll services.”

In June, UpGuard researchers submitted a vulnerability report to Microsoft Security Resource Center (MSRC), addressing the issue of OData feeds identification as it provides unidentified admission to a selection of data and URLs for accounts that were potentially exposing critical data.

“Among the examples of sensitive data exposed via OData APIs were three Power Apps portals used by American governmental entities to track COVID-19 tracing or vaccination and a portal with applicant data including Social Security Numbers,” the research declared.

According to OData, (Open Data Protocol) is defined by a group of best practices for creating and consuming RESTful APIs. It guides tracking changes, describing functions/ actions for reusable procedures, and sending batch requests.

RESTful APIs are an application programming interface (API or Web API) that follows the rules of REST API, which transfers a representation of information of the state of the resource to the requester. Usually, the information is delivered via HTTP, such as Javascript Object Notation (JSON), HTML, Python, PHP, or normal text.

As for Microsoft’s knowledge of the potential risks of Power Apps exposed portals, researchers had already informed the company of the consequences that might follow the accessibility to the public. Researchers highlighted that the transpired leaks should be seen as mishaps immerging from a much more damaging pattern that might lead to unsettling data exposure.

However, Microsoft analysts deemed this situation as nothing but an error in design.

“Over the next day, we corresponded with the Microsoft analyst to clarify steps to reproduce and Microsoft’s relationship to the powerappsportals.com domain. On Tuesday, June 29, the case was closed, and the Microsoft analyst informed that us they had ‘determined that this behavior is considered to be by design,” the report added.

As for the distribution of the leaked data, the transportation logistics firm J.B. Hunt Transport Services revealed that 905,228 records were exposed, followed by Denton Country with 632,171 records, American Airlines with a collection of 398,890 ‘contact’ records, and finally Microsoft’s own The Global Payroll Services Portal with 332,000 records of the company’s employees and contractors.

Ever since UpGuard released the report, the tech titan released a tool that assists in examining Power Apps portals for any potentially leaked data, in addition to putting into motion proposals to change the product so that table permissions will be automatically enforced.