Researchers attribute the problem to too permissive default permission settings.
According to cybersecurity researchers, an incorrect default permission setting exposed personally identifiable information (PII) of over 30 million US individuals from across a few hundred websites.
More than a thousand anonymously accessible lists were discovered across a few hundred portals, and these lists contained sensitive information such as an individual’s Covid-19 vaccination status, as well as their phone numbers, home address, social security number (SSN), and other personal information.
Incorrectly set up PowerApps portals not only enabled access to public data as intended, but they also exposed private data without anybody being aware of it (seemingly by accident).
- These are the most effective database management systems.
- Here is our selection of the finest cloud databases currently available on the market.
- Please take a look at our list of the top cloud storage providers.
When it comes to Microsoft PowerApps portals that are configured to allow public access, the researchers say they have discovered a “new vector of data exposure.” “The UpGuard Research team can now disclose multiple data leaks resulting from Microsoft PowerApps portals that are configured to allow public access,” the researchers write in their analysis of the leak.
Is it a feature, or is it a misconfiguration?
Each organization had a different sort of information that the researchers could access, and so did the researchers. Over the course of the study, the researchers were able to examine data from about four dozen organizations, including public bodies such as Indiana, Maryland, and New York City, and private firms such as American Airlines and Ford, among others.
According to the researchers, the astonishing level of exposure reveals a failure on Microsoft’s side. The company failed to adequately communicate the default settings and behavior of the PowerApps platform throughout the development process.
As the researchers explain, their conversations with the organizations they notified led them to the same conclusion: “Multiple governmental bodies reported performing security reviews of their apps without identifying this issue, presumably because it has never been adequately publicized as a data security concern; before.”
Because Microsoft had decided that this conduct was “thought to be by design,” the company first disregarded UpGuard’s discoveries as untrue.
However, once UpGuard began contacting the impacted organizations, Microsoft took precautions to ensure that its clients did not unintentionally disclose information. Examples include the introduction of a tool to check for lists that enable anonymous access and the modification of the default table permissions by the organization.