Misconfigured Power Apps Portals Exposed Data for 38 Million Users

Posted on August 23, 2021 by Paul Thurrott in Cloud, Dev, Microsoft with 10 Comments

Power Throttling to Make a Comeback in Windows 10 "Redstone 3"

Over 1000 web apps created with Microsoft’s Power Apps inadvertently exposed the data from over 38 million users thanks to a misconfiguration, according to a new report in Wired. The good news? The issue has been fixed and no customers are known to have been compromised.

“We found [a web app created with Power Apps] that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue?” UpGuard vice president Greg Pollock told Wired. “Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”

The data includes sensitive information, including phone numbers, home addresses, social security numbers, and COVID-19 vaccination statuses, and it was leaked via COVID-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases. Organizations such as American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools were responsible for the leaks, which were attributed to a single misconfiguration in Power Apps. Even some of Microsoft’s own apps suffered from this mistake.

The organizations used Power Apps to create public-facing web apps and backend management portals, the report says. And while the exposure is troubling, Microsoft has already changed the design of Power Apps portals to address this issue, and there are no known compromises. Microsoft has also issued a tool so existing customers can test their portal settings.

Tagged with

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (10)

10 responses to “Misconfigured Power Apps Portals Exposed Data for 38 Million Users”

  1. navarac

    Once again, it is shown that Microsoft and Security are not bedfellows :-(

  2. waethorn

    Brilliant! Way to leverage those QA testers there, Satya!


    *golf clap*


    (they were all laid off)

  3. hrlngrv

    Tangent: will MSFT's usual waivers of merchantibility and fitness be able to protect them in perpetuity from indirect legal action from people affected by this?


    Flipping this around, wouldn't a credible risk of losing US$ 11-figure lawsuits incentivize MSFT to adopt a more effective approach to security?

  4. eric_rasmussen

    I hope they analyzed traffic logs to determine that no customer data was leaked; it's not typically obvious that someone has taken advantage of an exploit until network traffic patterns become unusual.


    The whole power platform thing seems ripe for this kind of problem. When you make it so easy to build public-facing apps that non-technical people can do it, you run the risk of having known bad practices become commonplace. Normal people don't obsess about security or load testing or most other things the people who read this site do.

    • waethorn

      They don’t even notify of brute force attacks on RDP in Windows - the most common attack vector of ransomware. Why would they do anything for this?

Leave a Reply