A misconfiguration in Microsoft’s PowerApps, a low-code solution that Microsoft says lets teams build and launch apps right away using prebuilt templates, drag-and-drop simplicity, and quick deployment has exposed up to 38 million records to the internet, including items such as social security numbers and vaccine status.
The flaw was discovered by security company UpGuard, who discovered that the default configuration of the software platform kept tables, but not lists, secure.
The platform has already been used by 47 businesses, including government agencies, and even Microsoft’s payroll data was exposed.
Companies involved included the Indiana Department of Health’s contact-tracing database, Maryland Department of Health coronavirus testing appointments, New York City Department of Education staff and student rosters and a New York Metropolitan Transit Authority list of employees vaccinated against COVID-19.
Microsoft was informed of the issue, but “determined that this behaviour is considered to be by design,” leaving UpGuard to inform companies affected directly.
Those companies eventually closed the holes, and it appears Microsoft informed their government customers also. The company also released a tool that can detect if lists are allowing anonymous access and updated Power Apps so that new portals will have all data formats secured by default.
In a statement Microsoft said:
“We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”
Read UpGuard’s full report here.