Microsoft's Power Apps portal service is a backend platform that helps third parties create web or mobile apps. More than a thousand of those apps have been found to be exposing the data of their users, for a combined total of around 38 million records.
Exposed data includes phone numbers, home addresses, social security numbers, and COVID-19 vaccination statuses, from a range of sources including employee databases, job application indexes, and contact tracing platforms.
It's certainly far from the biggest data exposure in recent months, but this is a high-profile one, with affected companies including big names like American Airlines, Ford, and the New York City Municipal Transportation Authority.
How Did It Happen?
A Power Apps portal essentially helps an organization launch a quick pre-fab web application that can handle user sign-ups and maintain a database of information. In the world of website design, that's one of the pricier types of sites. Particularly since the COVID-19 pandemic began around March 2020, these web apps have been in high demand.
In May 2021, Wired magazine reports, researchers at the security firm UpGuard spotted a number of Microsoft Power Apps portals that were exposing data that should have stayed private — one core API would expose data by default, and most customers weren't manually correcting this in order to keep their database private. The portal design has since been tweaked to fix the issue.
“It Was Wild”
There's no evidence that any bad actors noticed and took advantage by stealing it, but it's not a great look for a service with as much brand authority as Microsoft. It even surprised the researchers who uncovered the problem:
“We found one of these that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue?” Greg Pollock, UpGuard's vice president of cyber research, told Wired. “Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”
There are a few takeaways here. First, some of the issue may be chalked up to the rapid growth of online infrastructure due to 2020's sudden shift to remote work.
More importantly, though, it's a reminder that the buck stops with cloud providers when it comes to making their default as secure as possible: Sure, the Power Apps customers could have tweaked the default API, but they shouldn't be expected to.
Perhaps the biggest takeaway of all, however, is that even the biggest names in internet services won't keep your data safe all the time. And as great as a password manager or a VPN is, this is one case in which your social security number is out of your hands. But, uh, happy Monday!