UpGuard has revealed that over 1,000 web apps leaked more than 38 million records containing names, COVID-19 tracing information, and other personal data because their operators misconfigured the Microsoft Power Apps platform that was used to manage their software.
The company says the leaked records includes "personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, Social Security numbers for job applicants, employee IDs, and millions of names and email addresses," as well as other information.
Microsoft Power Apps is supposed to make it so "everyone can quickly build and share low-code apps," according to its website, and UpGuard says the service offers a feature called "portals" that's supposed to allow its customers to share information with people who use their web apps.
The problem was that anyone could access ostensibly private information by visiting a subdomain that listed all of the sources of information Microsoft Power Apps makes available via portals, complete with URLs that could be used to view that data right from the browser.
"Visiting the URL for a list would either display the data, if anonymous access was allowed, or show a message that access was forbidden, if some level of table permissions were enabled," UpGuard says. "The full URL would be something like example.powerappsportals.com/_odata/mylist, making it very easy to go from a list of portals to publicly accessible lists."
UpGuard says it reported the issue to the Microsoft Security Resource Center on June 24. It was told on June 29 that Microsoft "determined that this behavior is considered to be by design," and therefore wouldn't be addressed, so it started to contact affected organizations on July 2.
That list of affected organizations included the Departments of Health for Maryland and Idaho as well as American Airlines, J.B. Hunt, and Ford, among many others. Microsoft was on the list, too, with UpGuard saying that some of the "significant" portals affected included:
Global Payroll Services
Business Tools Support
Customer Insights Portal
UpGuard says it contacted Microsoft again and was told to file an abuse report. Shortly after it did that, several of the company's portals were properly secured, and Microsoft reportedly started to reach out to government customers to warn them of the potential security issue, too.
Microsoft has since introduced a tool that Microsoft Power Apps customers can use to see if their portals are secure and made the default settings more private by default. But the company doesn't appear to have referenced the issue on the service's blog or documentation.
Like What You're Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!Sign up for other newsletters