The default permissions settings of an app-building tool by Microsoft were responsible for the exposure of data from 38 million people online. 47 companies and government agencies using Microsoft's Power Apps platform accidentally made public information including names, email addresses and phone numbers. Microsoft has resolved the issue and there is no evidence that the data was exploited.
Security research group UpGuard first discovered the problem in May. The company recently posted a blog post by UpGuard and a report from Wired explaining how Power Apps enabled organizations to create apps that had improper data permissions.
One of these apps was misconfigured to reveal data. We thought it was a unique problem. Greg Pollock, UpGuards vice-president of cyber research, told Wired. It is very simple to conduct a survey because of the way Power Apps portals works. We discovered that there were many of them. It was amazing.
We discovered that there were many of them. It was amazing.
Power Apps is a tool that allows companies to create simple websites and apps without any coding knowledge. Ford, American Airlines and J.B. Hunt were among those implicated in the hacking. The site was used by state agencies in Maryland and New York City to collect data, including for organizing vaccination efforts. Power Apps provides tools to quickly collect the data required for these projects but by default makes this information public. This is what UpGuard found.
This particular breach's mechanism is fascinating because it blurs the lines between software vulnerabilities and poor user interface design. UpGuard claims that Microsoft's position is that it wasn't a vulnerability, as users were responsible for incorrectly configuring permissions. However, it seems that if an app is intended to be used by those with limited programming experience, making the default settings as safe as possible would be a smart move. According to Wired, Microsoft has changed the default permission settings that were responsible for the exposure.