Misconfigured applications built using Microsoft Corp.’s Power Apps platform made 38 million records publicly available on the open web, according to newly released cybersecurity research.

The data leaks were the result of a default setting in the platform that made applications’ information data accessible without a password. 

The research detailing the issue was published today by UpGuard Inc., a San Francisco startup that makes software for finding vulnerabilities in companies’ technology infrastructure. The startup notified Microsoft before releasing its findings. The technology giant rolled out an update to address the data leaks earlier this month and the vast majority of affected Power Apps applications now no longer allow access to their information, UpGuard said.

Power Apps is a low-code development platform sold by Microsoft that enables business users without extensive programming expertise to quickly create custom applications. Applications built with Power Apps can be used to automate internal business tasks at a company, like copying purchase logs from one database to another. The platform also lends itself to building websites such as customer support portals.

Earlier this year, an UpGuard cybersecurity expert came across a website created with Power Apps that exposed personal information via an application programming interface. The company notified the website’s operator and the issue was resolved. Afterwards, UpGuard began investigating whether there may be other Power Apps applications with the same issue.

Over the course of its research, the company found more than 1,000 Power Apps applications that inadvertently made their data accessible via the open web. Among the applications were workloads developed by major enterprises such as Ford Motor Co., American Airlines Inc. and Microsoft itself. A number of services built by public sector organizations were affected as well. 

UpGuard determined that the affected applications exposed about 38 million records, some of which contained sensitive information such as Social Security numbers and personal information used for COVID-19 contact tracing.

The data leaks occurred because the operators of the affected applications didn’t enable a key security setting in Power Apps.

Applications created with Power Apps keep their information in spreadsheets. Those spreadsheets are hosted in a Microsoft service called Dataverse. Until August, information in applications’ spreadsheets could by default be accessed without a password through an application programming interface. Companies had to specifically enable a privacy setting via the Power Apps management console to prevent Power Apps from making information publicly accessible.

“When a developer enables the OData feed on the ‘OData Feed’ list settings tab, they must also activate the ‘Enable Table Permissions’ option on the “General” list settings tab unless they wish to make the OData feed public,” UpGuard researchers detailed in a blog post.

In the early August update that resolved the issue, Microsoft changed the Power Apps settings to make application data inaccessible by default. UpGuard told Wired that the vast majority of affected applications it has found no longer make their information publicly accessible, including all the applications containing sensitive information.

“Additionally, Microsoft has released a tool for checking Power Apps portals and planned changes to the product so that table permissions will be enforced by default,” UpGuard researchers wrote. “To diagnose configuration issues, the Portal Checker can be used to detect lists that allow anonymous access. More importantly, newly created Power Apps portals will have table permissions enabled by default. Tables configurations can still be changed to allow for anonymous access, but defaulting to permissions enabled will greatly reduce the risk of future misconfiguration.”

Image: Microsoft