Over 1000 web apps created with Microsoft’s Power Apps inadvertently exposed the data from over 38 million users thanks to a misconfiguration, according to a new report in Wired. The good news? The issue has been fixed and no customers are known to have been compromised.
“We found [a web app created with Power Apps] that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue?” UpGuard vice president Greg Pollock told Wired. “Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
The data includes sensitive information, including phone numbers, home addresses, social security numbers, and COVID-19 vaccination statuses, and it was leaked via COVID-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases. Organizations such as American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools were responsible for the leaks, which were attributed to a single misconfiguration in Power Apps. Even some of Microsoft’s own apps suffered from this mistake.
The organizations used Power Apps to create public-facing web apps and backend management portals, the report says. And while the exposure is troubling, Microsoft has already changed the design of Power Apps portals to address this issue, and there are no known compromises. Microsoft has also issued a tool so existing customers can test their portal settings.