Over a thousand web applications accidentally exposed 38 million records via the open Internet. This data included data from many COVID-19 contact-tracing platforms and vaccination sign-ups. This data contained sensitive information such as phone numbers, home addresses, social security numbers, and COVID-19 vaccination status.
Major companies and organizations were affected by the incident, including American Airlines and Ford, J.B. Hunt Transportation and Logistics Company, Maryland Department of Health, New York City Municipal Transportation Authority and New York City Public Schools. While the data exposures were resolved, they demonstrate how one bad configuration can have wide-ranging consequences on a popular platform.
All of the exposed data was stored in Microsoft's Power Apps portal, which is a platform that allows you to create mobile or web apps for external use. Power Apps portals are able to quickly create a website for vaccine appointment signing-up during a pandemic.
Researchers from UpGuard started investigating large numbers of Power Apps portals which publicly exposed data that should be private. This included some Power Apps that Microsoft had created for its own use. Although none of the data has been found to be compromised, the discovery is still significant as it highlights an oversight in the design process of Power Apps portals. This oversight has since been corrected.
Advertisement
The Power Apps platform not only allows you to manage your internal databases but also gives you the foundation for developing apps. It also offers ready-made interfaces that allow you to interact with this data. The UpGuard researchers discovered that the APIs were made public by the platform when they were enabled. It was difficult to enable privacy settings. Many customers left the default insecure setting and misconfigured their apps as a result.
One of these was misconfigured to reveal data. We thought it was a unique problem or a widespread issue. Greg Pollock is UpGuard's vice-president of cyber research. It is very simple to conduct a survey because of the Power Apps portals software. We discovered that there were many of them. It was amazing.
Researchers came across many types of information. J.B. Hunt exposed job applicant data, which included Social Security numbers. Microsoft also exposed several databases through its Power Apps portals. These included an old platform called Global Payroll Services and two portals called "Business Tools Support". A Customer Insights portal was also available.
There were many limitations to the information. However, the fact that Indiana had Power Apps portal access does not mean that all data held by the state was exposed. A subset of the contact-tracing data that was used in the state's Power Apps portal wasn't involved.
Over the years, cloud-based databases have been misconfigured a lot. This has led to huge amounts of data being stolen or inappropriate access. While major cloud companies such as Amazon Web Services, Google Cloud Platform and Microsoft Azure have taken steps to ensure customers' data is stored privately by default and flagged potential misconfigurations from the beginning, the industry did not prioritize the issue until recently.
Advertisement
The UpGuard researchers discovered those issues after years of studying cloud misconfigurations. UpGuard tried to collect as much information as possible and notify affected organizations. However, the researchers were unable to reach every entity due to the sheer number of affected organizations. They also shared their findings with Microsoft. Microsoft announced at the beginning of August that Power Apps portals would now default to private storage of API data and other information. Customers can also use the tool to review their portal settings. WIRED reached out to Microsoft for comment but they did not respond.
Although the individuals involved in the incident could theoretically have found the problem, UpGuard's Pollock stresses that cloud providers must provide secure defaults. It's likely that many users will accidentally expose data.
This is a lesson the entire industry has had to learn, sometimes painfully.
Kenn White, Open Crypto Audit Project director, said that secure default settings are important. If a pattern is observed in web-facing systems that are still misconfigured using a particular technology, it's a sign of something very wrong. Developers from different industries and technical backgrounds are continuing to make the same mistakes on a platform. The spotlight should be on the platform's builder.
Pollock claims that all the sensitive portals are now private, thanks to both UpGuard's notifications and Microsoft's fixes.
He says that it is well-known that cloud buckets can be misconfigured. This has been a part of other projects we have worked on. We felt that we had an ethical responsibility to ensure at least the most sensitive buckets before we could discuss the systemic issues.
This story first appeared on wired.com
