Multiple users of Microsoft’s business applications solution Power Apps — including Microsoft itself — are alleged to have unintentionally exposed 38 million records through portals that allow public access, according to a report from cybersecurity company UpGuard.
The report has led to changes from Microsoft, UpGuard said, and one Microsoft partner told CRN that the incident is a reminder to solution providers on “the balance” between information sharing and security and the importance of identity and data management even after applications are made available to users.
UpGuard — which has head offices in Sydney; Hobart, Australia; and Mountain View, Calif. — reported on Monday that Power Apps portals by government agencies and private companies exposed data including names, phone numbers, addresses and, in one case, data that resembled Social Security numbers. In another case, New York City’s Department of Education appeared to have exposed student email addresses.
The report acknowledged that after UpGuard contacted Microsoft in June about the “sensitive data” exposures, the tech giant “released a tool for checking Power Apps portals and planned changes to the product so that table permissions will be enforced by default.”
“To diagnose configuration issues, the Portal Checker can be used to detect lists that allow anonymous access,” according to the report. “More importantly, newly created Power Apps portals will have table permissions enabled by default. Tables configurations can still be changed to allow for anonymous access, but defaulting to permissions enabled will greatly reduce the risk of future misconfiguration.”
Microsoft did “the best thing they can” in response to what UpGuard found, according to the report.
“It is a better resolution to change the product in response to observed user behaviors than to label systemic loss of data confidentiality an end user misconfiguration, allowing the problem to persist and exposing end users to the cybersecurity risk of a data breach,” according to the report.
The report comes at a time of heightened scrutiny of the security around Microsoft applications. Earlier this month, threat researcher Huntress warned managed service providers (MSPs) of on-premise Microsoft Exchange Server ProxyShell vulnerabilities that could be exploited by cybercriminals. And Microsoft has issued multiple reports on a Windows Print Spooler vulnerability known as PrintNightmare.
Protecting Users From Themselves
In an email to CRN US, a Microsoft spokesperson said that customers are notified about public feed availability when discovered so they can review and remediate if the public availability was unintended. The spokesperson said that only a small subset of customers configured the portal as described in the UpGuard report and that Microsoft’s primary portal designer, Design Studio, uses strong privacy settings by default.
“Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs,” the spokesperson said. “We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”
Greg Pollock, vice president of cyber research at UpGuard, told CRN US in an interview that the data exposures show the importance of setting up triggers for abnormal user behaviour and the potential danger of the low-code, no-code philosophy putting data science abilities in the hands of amateurs.
His advice is to “slow down and to properly budget for mastering the technologies involved.”
“My guess would be that many of these portals that were exposing data were because the person who was using it and who set up the data feed API was not an expert,” Pollock said. “I‘m going to guess they did not read the documentation.”
“You want to hire someone who knows the stuff inside and out,” he continued. “The same applies even more so to other technologies, whether it‘s in the Amazon Cloud, the same stuff applies. You need someone who knows how all of the access control rules work because it can be very complicated. The identity and access management in any cloud environment is pretty complicated. You don’t want to throw it to someone where it’s like, ‘I’m going to figure it out on the fly.’”
The exposure of information held by businesses is a reminder to solution providers to check what customer information is being exposed by internet-connected tools. Multiple partner program portals were observed exposing data, Pollock said.
“There were quite a number of lead databases related to software sales but also to other companies,” he said. “You get not just the contact’s name and email address, maybe their phone number, but also some notes about it. It’s the context that makes that information a lot more risky, if it were to be exposed, not just for the contact but also for your business. Customer lists are valuable information. You don‘t want your competitors knowing who your customers are — or knowing anything about your sales motion, really.”
The examples of data exposure UpGuard discovered range from a portal by logistics company J.B. Hunt exposing “a number matching the format for a US Social Security Number and which contained numbers that have been issued as SSNs” to the New York City Department of Education exposing “mail addresses for the ‘nycstudents.net’ mail domain– likely the school-assigned email addresses for students, though it is difficult to verify the identities of minors with publicly available data.”
The Maryland Department of Health exposed “what appeared to be COVID-19 testing appointments containing the appointment date, time, and location, as well as the reference ID of the contact associated with the appointment,” according to the report.
A global payroll services portal by Microsoft used to handle payroll questions exposed email addresses and employee IDs. One Microsoft list “had metadata about the employees’ questions like the ticket title– examples include ‘Wrong Salary has been deposited to my account’ and ‘Payslip January 2017 - Clarification on Taxable Amount’– the ticket status, and the name of the person who worked on it,” according to the report.
And Microsoft portals related to mixed reality had lists “which contained 39,210 records for primarily non-Microsoft users, some of which had business email accounts and some of which were from personal email providers like Gmail or universities. The data present was the user’s full name, email address, and the name of their Microsoft liaison,” according to the report.