#38 Million Users’ Data Exposed by Microsoft Power Apps

Microsoft’s Power Apps portal service is designed to make the development of web or mobile apps easier. Unfortunately, due to an issue with the default security setting, 38 million users’ data was publicly available when it shouldn’t have been.

What Happened With Microsoft Power Apps?

Essentially, the Microsoft Power Apps platform defaulted to making data publicly accessible instead of keeping the data private by default, as discovered by Upguard and reported by Wired. Unfortunately, this meant that anyone looking to quickly get a web app up and running with these APIs would need to manually enable security, rather than the other way around.

“The UpGuard Research team can now disclose multiple data leaks resulting from Microsoft Power Apps portals configured to allow public access – a new vector of data exposure,” Upguard said in a blog post.

Microsoft Power Apps are used by a wide range of companies and government bodies. Because it’s quick and easy to get a website or app going, it was used quite frequently for COVID-19 tools such as contact tracing, vaccine sign-up forms, and so on. The platform was also popular for storing job application portals and employee databases.

These tools could contain sensitive user data, and a shocking number of them didn’t have the security measures turned on. That means data such as phone numbers, home addresses, social security numbers, and Covid-19 vaccination status were exposed to anyone who happened to be looking for them.

Just a few examples of organizations that this affected are American Airlines, Ford,  J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools.

Is There a Fix?

Fortunately, the situation has already been addressed by Microsoft. The company has now made it so the default settings do not allow API data and other information to be publicly available. Instead, developers will need to enable this setting manually, which is probably how it should have been from day one.

There’s always going to be data that developers want public, so they’ll have to go through the extra step of making select data available rather than going through the extra effort to make it hidden. This is definitely a better way to go for people using these web apps, as it lets them rest assured that their private data is kept confidential. However, the damage is done in this case. We’ll need to wait for the fallout to see how bad it is.