UpGuard discovers 38 million leaked records from over 1,000 misconfigured web applications

UpGuard has revealed that over 1,000 web apps have disclosed more than 38 million records containing names, COVID-19 tracking information, and other personal data because their operators misconfigured the Microsoft Power Apps platform used to manage their software.

The company says the leaked records include “personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers of job applicants, employee IDs and millions names and e-mail addresses ”, as well as other information.

Microsoft Power Apps is supposed to make it so that “anyone can quickly create and share low-code apps,” according to its website, and UpGuard says the service offers a feature called “portals” which is supposed to allow its customers to share information with people who use their web applications.

The problem was that anyone could access seemingly private information by visiting a subdomain listing all of the information sources Microsoft Power Apps makes available through portals, with URLs that can be used to view that data directly. from the browser.

“Visiting the URL of a list would display the data, whether anonymous access was allowed, or a message indicating that access was prohibited, if a certain level of table permissions were enabled,” says UpGuard. “The full URL would be something like example.powerappsportals.com/_odata/mylist, which makes it very easy to switch from a list of portals to publicly accessible lists.”

UpGuard says it reported the issue to the Microsoft Security Resource Center on June 24. organizations affected on July 2.

That list of affected organizations included the ministries of health in Maryland and Idaho as well as American Airlines, JB Hunt and Ford, among others. Microsoft was also on the list, with UpGuard saying some of the “important” portals affected included:

Recommended by our editors

  • Global Payroll Services

  • Support for business tools

  • Customer information portal

  • Mixed reality

  • Azure China

UpGuard says it contacted Microsoft again and was asked to file an abuse report. Shortly after that, several of the company’s portals were properly secured and Microsoft also reportedly began contacting government customers to alert them to the potential security issue.

Microsoft has since introduced a tool that Microsoft Power Apps customers can use to see if their portals are secure and do defaults plus private defaults. But the company doesn’t appear to have made any reference to the issue on the service. Blog Where Documentation.

Security Watch newsletter for our top privacy and security stories delivered right to your inbox.","first_published_at":"2021-09-30T21:22:09.000000Z","published_at":"2021-09-30T21:22:09.000000Z","last_published_at":"2021-09-30T21:22:03.000000Z","created_at":null,"updated_at":"2021-09-30T21:22:09.000000Z"})" x-show="showEmailSignUp()" class="rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 font-brand mt-8 container-xs">
Do you like what you read ?

Register for Security watch newsletter for our best privacy and security stories delivered straight to your inbox.

This newsletter may contain advertising, offers or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of use and Privacy Policy. You can unsubscribe from newsletters at any time.

Comments are closed.