Microsoft Power Apps security breach exposes 38 million user data

Image: Peter Macdiarmid (Getty Images)

Image: Peter Macdiarmid (Getty Images)

One of the most popular tools among Windows users has a security hole that could have led to millions of data records being leaked. That’s what researchers at the company UpGuard point out, who recently discovered that 47 different entities — including governments, companies and Microsoft itself — may have been hit by the breach.

The bug in question hits Microsoft’s Power Apps, a development platform that allows organizations to build web apps faster. Many governments have used the service to create Covid-19 contact tracking interfaces, for example.

It turns out that, along with such ease, the platform manages a massive amount of data in the background. That’s where the danger lies, as security researchers have found that some incorrect product settings can leave a lot of information publicly exposed on the internet.

In addition to authorities and large companies, the list of affected targets includes the state governments of Maryland and Indiana, and public agencies in New York City, including the Metropolitan Transportation Authority (MTA), responsible for public transport in the city. Also vulnerable are private airlines, including American Airlines and transportation and logistics company JB Hunt.

UpGuard researchers write that the leaked data holding still contains many confidential things, including “personal information used for Covid-19 contact tracking and names of vaccinated people, social security numbers for job applicants, employee IDs and millions names and e-mail address”.

Error would have gone off internally at Microsoft

According to the researchers, Microsoft itself appears to have misconfigured several of its Power Apps databases, leaving several records exposed. One apparently included a “collection of 332,000 email addresses used by employees for Microsoft’s global payroll services.”

In June, UpGuard contacted Microsoft’s Security Resource Center to submit a vulnerability report, alerting the company to the widespread problem. In all, 38 million user records were exposed as a result of the leaks observed by the researchers. UpGuard concluded that Microsoft has not publicized this security issue enough, and that more should have been done to alert customers to the dangers of misconfiguration.

“The number of accounts that expose sensitive information indicates that the risk of this feature — the likelihood and impact of its misconfiguration — has not been properly assessed. On the one hand, the product documentation accurately describes what happens if an application is configured in this way. On the other hand, the evidence studied suggests that a warning in the technical documentation is not sufficient to avoid the serious consequences of misconfiguring OData list feeds for Power Apps portals,” wrote UpGuard.

Subscribe to the Gizmodo newsletter

Since being alerted, Microsoft has changed the default permissions and settings related to Power Apps to make the product more secure.