Misconfigured Power Apps Portals Exposed Data for 38 Million Users

Power Throttling to Make a Comeback in Windows 10 "Redstone 3"

Over 1000 web apps created with Microsoft’s Power Apps inadvertently exposed the data from over 38 million users thanks to a misconfiguration, according to a new report in Wired. The good news? The issue has been fixed and no customers are known to have been compromised.

“We found [a web app created with Power Apps] that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue?” UpGuard vice president Greg Pollock told Wired. “Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

The data includes sensitive information, including phone numbers, home addresses, social security numbers, and COVID-19 vaccination statuses, and it was leaked via COVID-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases. Organizations such as American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools were responsible for the leaks, which were attributed to a single misconfiguration in Power Apps. Even some of Microsoft’s own apps suffered from this mistake.

The organizations used Power Apps to create public-facing web apps and backend management portals, the report says. And while the exposure is troubling, Microsoft has already changed the design of Power Apps portals to address this issue, and there are no known compromises. Microsoft has also issued a tool so existing customers can test their portal settings.

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 10 comments

  • blue77star

    23 August, 2021 - 3:05 pm

    <p>It is really bad platform.</p>

    • Paul Thurrott

      Premium Member
      24 August, 2021 - 9:03 am

      <p>What. Why?</p>

  • navarac

    23 August, 2021 - 4:10 pm

    <p>Once again, it is shown that Microsoft and Security are not bedfellows :-(</p>

  • waethorn

    23 August, 2021 - 7:41 pm

    <p>Brilliant! Way to leverage those QA testers there, Satya!</p><p><br></p><p>*golf clap*</p><p><br></p><p>(they were all laid off)</p>

    • miamimauler

      24 August, 2021 - 5:43 am

      <p>I see Mike and Vancouver are nowhere to be seen, typical.</p>

    • chuckop

      Premium Member
      25 August, 2021 - 9:42 am

      <p>This is not a test issue. It’s a design issue. The design allowed for insecure by default. They didn’t do the threat modeling very well, or discounted the threat. </p>

  • hrlngrv

    Premium Member
    23 August, 2021 - 8:06 pm

    <p>Tangent: will MSFT’s usual waivers of merchantibility and fitness be able to protect them in perpetuity from indirect legal action from people affected by this?</p><p><br></p><p>Flipping this around, wouldn’t a credible risk of losing US$ 11-figure lawsuits incentivize MSFT to adopt a more effective approach to security?</p>

  • winner

    24 August, 2021 - 3:45 am


  • eric_rasmussen

    Premium Member
    24 August, 2021 - 11:29 am

    <p>I hope they analyzed traffic logs to determine that no customer data was leaked; it’s not typically obvious that someone has taken advantage of an exploit until network traffic patterns become unusual.</p><p><br></p><p>The whole power platform thing seems ripe for this kind of problem. When you make it so easy to build public-facing apps that non-technical people can do it, you run the risk of having known bad practices become commonplace. Normal people don’t obsess about security or load testing or most other things the people who read this site do.</p>

    • waethorn

      25 August, 2021 - 10:47 am

      <p>They don’t even notify of brute force attacks on RDP in Windows – the most common attack vector of ransomware. Why would they do anything for this?</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2023 Thurrott LLC