Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
38 million records exposed because companies used default configs in Microsoft Power
#1
https://www.neowin.net/news/38-million-r...ower-apps/        38 million records exposed because companies used default configs in Microsoft Power Apps
Usama Jawad · Aug 23, 2021 12:36 EDT22
Power Apps is Microsoft's low-code platform for organizations to quickly develop full-fledged applications, mostly for internal use, complete with a frontend and a backend. It is a powerful utility that allows you to build apps, even if you're not well-skilled in programming. Microsoft regularly updates Power Apps with new features and capabilities. However, a new report might be cause for concern for organizations as it appears that over 38 million records have leaked online because of people using default configurations in Microsoft Power Apps.

As reported by Wired, security firm Upguard has highlighted that thousands of web apps made by multiple companies have been exposing sensitive information through public-facing Power Apps portals. According to the report, 38 million records were available to the public and contained information about COVID-19 contact-tracing information, employee databases, job information, phone numbers, social security numbers, and home addresses. Apparently, some of Microsoft's own apps also displayed the same behavior.

Upguard says that when enabling APIs for Power Apps, the default configuration used to be such that any data hosted is publicly accessible. Anyone who had access to a portal's URL can utilize it to scrape data belonging to another entity.

The security firm reported its findings to Microsoft as well, and as a result, the Redmond tech giant released an update in August to make APIs private by default. It also rolled out a tool so organizations can check the security settings of their Power Apps portals.

This is certainly an interesting case in terms of defining where the blame lies. While the onus should be on organizations to properly configure their Power Apps, having the APIs public by default is a bit of an odd design decision by Microsoft as well. Many companies use Power Apps to build applications for internal use and publish them immediately, so security is probably not the top priority in a lot of use-cases. It is currently unknown if the 38 million records in question were scraped by someone but it has been revealed that multiple companies including Ford, J.B. Hunt, and American Airlines were impacted by the misconfiguration.

Source: Upguard via Wired
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Singapore distances itself from local crypto companies mrtrout 0 1,382 07-21-2022 , 08:20 PM
Last Post: mrtrout
  VMware warns of critical bug in default vCenter Server installs mrtrout 0 634 09-21-2021 , 09:58 PM
Last Post: mrtrout
  Over 60 million wearable, fitness tracking records exposed via unsecured database mrtrout 0 557 09-15-2021 , 03:24 AM
Last Post: mrtrout
  Google releases Chrome 90 with HTTPS by default and security fixes Imran 0 975 04-15-2021 , 03:00 PM
Last Post: Imran
  Data analytics agency Polecat held to ransom after server exposed 30TB of records Bjyda 0 1,146 03-02-2021 , 10:26 PM
Last Post: Bjyda

Forum Jump:


Users browsing this thread: 1 Guest(s)