Over 1000 web apps created with Microsoft’s Power Apps inadvertently exposed the data from over 38 million users thanks to a misconfiguration, according to a new report in Wired. The good news? The issue has been fixed and no customers are known to have been compromised.
“We found [a web app created with Power Apps] that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue?” UpGuard vice president Greg Pollock told Wired. “Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”
The data includes sensitive information, including phone numbers, home addresses, social security numbers, and COVID-19 vaccination statuses, and it was leaked via COVID-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases. Organizations such as American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools were responsible for the leaks, which were attributed to a single misconfiguration in Power Apps. Even some of Microsoft’s own apps suffered from this mistake.
The organizations used Power Apps to create public-facing web apps and backend management portals, the report says. And while the exposure is troubling, Microsoft has already changed the design of Power Apps portals to address this issue, and there are no known compromises. Microsoft has also issued a tool so existing customers can test their portal settings.
Tagged with Power Apps