In this age of constant surveillance and data collection, increased under the guise of COVID protections, stories such as this will become increasingly common.
Microsoft’s Power Apps were recently misconfigured and this resulted in over a thousand online apps being available to anybody who found them.
The research analysts at Upguard, via Wired, found that more than 38 million records from over a thousand web apps using Microsoft’s PowerApps portal platform were left online.
In the records, information including home addresses, phone numbers, social security numbers, and vaccination status is alleged to have been taken from COVID-19 contact tracing attempts, vaccine registrations, and employee databases.
The Maryland Department of Health, American Airlines, Ford, J.B. Hunt, and the New York City Metropolitan Transportation Authority were among the organizations affected by the incident. In spite of the fact that the breaches appear to have been resolved, with the vulnerability from the misconfiguration under control, they illustrate how a seemingly simple mistake can have widespread outcomes.
Microsoft’s PowerApps portal service, a development platform that makes it simple to construct web or mobile apps for external usage, held all of the exposed data.
Neither the disclosed data nor any of its contents has been altered yet. Over 332,000 email addresses and Microsoft employee IDs used for payroll have been exposed, according to Upguard.
It’s possible to use a Power Apps portal to offer a public-facing web page as well as the management system for a vaccination appointment sign-up site during a pandemic, for example. In addition to the names and email addresses of individuals, the company claims 39,000 records from Microsoft Mixed Reality portals were exposed.
According to Upguard, on June 24th, it filed a vulnerability report to the Microsoft Security Resource Center, which included links to Power Apps portal accounts with sensitive data exposed and procedures to discover APIs that allowed anonymous data access.
The associated data was rendered publicly accessible automatically when the researchers enabled these APIs. Due to this, many users misconfigured their apps by leaving the unsafe default settings.
Cloud-based databases have been a major source of danger for years because of misconfiguration. This makes vast amounts of data vulnerable to unauthorized access and theft. The industry has been working to identify potential misconfigurations and keep client data confidential by default at major cloud providers but the issue was not prioritized until recently.