Data leaked includes COVID-19 vaccination records, US Social Security numbers & email addresses linked to American Airlines, Ford, Indiana Department of Health & New York City public schools.
For months, Microsoft’s Power Apps portals exposed personal data tied to 38m records ranging from COVID-19 vaccination status, US Social Security numbers & email addresses. Consumers most affected by what is being called a “platform issue” are those doing business with American Airlines, Ford, the Indiana Department of Health & New York City public schools.
Power Apps
Microsoft describes its Power Apps as a “suite of apps, services, & connectors, as well as a data platform, that provides a rapid development environment to build custom apps for your business needs.” The tool is used by developers to build applications that share data locally or with the cloud.
On Mon., UpGuard Research revealed Microsoft’s Power Apps management portal had accidently leaked the data of 47 businesses totalling the exposure of 38m personal records.
It asserted that Microsoft’s Power Apps platform was flawed in the way it forced customers to configure their data as private or public. Microsoft does not consider the leaky data issue a vulnerability, rather a configuration issue that can be improved on its part.
Findings
Besides data sets previously mentioned, researchers outlined what they found as:
American Airlines: A collection of 398,890 “contact” records, which included full names, job titles, phone numbers, & email addresses. A 2nd “test” collection of data included 470,400 records, which included full names, job titles, phone numbers & email addresses.
Denton County, TX: A total of 632,171 records spilled included vaccination types, appointment dates & times, employee IDs, full names, email addresses, phone numbers, & birth dates. “The list ‘contactVaccinationSet’ had 400,091 records with fields for full names & vaccination types, & ‘contactset’ had 253,844 records with full names & email addresses,” researchers wrote.
J.B. Hunt Transport Services: The transportation logistics firm made public 905,228 records that included customer full names, email addresses, physical addresses & phone numbers. Over a quarter million of the records also included US Social Security numbers.
Microsoft’s own The Global Payroll Services Portal: Researchers found 332,000 records of Microsoft employees & contractors with their @microsoft.com email address, full name & phone numbers that appear to be for personal use.
Open Data Protocol
UpGuard observed the data leak is tied to how the Power Apps platform ‘juggles’ the use of the Open Data Protocol (OData) with its application programming interface (API). For example, some data handled within the Power Apps platform needs to be public, & other related data sets need to be private.
“In cases like registration pages for COVID-19 vaccinations, there are data types that should be public, like the locations of vaccination sites & available appointment times, & sensitive data that should be private, like the personally identifying information of the people being vaccinated,” UpGuard wrote.
Private User Data
Researchers discovered sensitive private user data, which should have been private, was being segregated, but still publicly accessible. The issue, UpGuard explained, is that Microsoft’s configuration options for data sharing & storing sensitive data in Power Apps “create the potential for data leaks.”
Researchers zeroed in on the OData APIs used by Power Apps for retrieving & storing public & private/sensitive data. More specifically, they focused on how data (such as personal identifiable information, or PII) is stored & formatted into “Table Permissions” for sharing – or not.
Configuration Settings
The issue is configuration settings that instruct a Power Apps user to “set the Enable Table Permissions Boolean value on the list record to true.”
“If those configurations are not set & the OData feed is enabled, anonymous users can access list data freely,” researchers wrote.
A Feature, Not a Bug
During the course of its research, UpGuard discovered the OData misconfiguration by Microsoft customers (& even Microsoft itself) to be widespread & systemic. “Empirical evidence suggests a warning in the technical documentation is not sufficient to avoid the serious consequences of misconfiguring OData list feeds for Power Apps portals,” wrote researchers.
UpGuard notified Microsoft of the data leakage on June 24, 2021. Microsoft then began to investigate claims that its Power Apps were responsible for revealing millions of sensitive-data records. On June 29, the company asserted that the platform worked as planned.
Case was Closed
“The case was closed, & the Microsoft analyst informed us that they had determined that this behaviour is considered to be by design,” UpGuard wrote.
Over the proceeding weeks, UpGuard continued to find massive data exposures tied to the way Power Apps handled OData via its API.
“Microsoft would later take action after we had notified some of the most severe exposures. We spent the next few weeks analysing the data for indicators of sensitivity & reaching out to affected organisations,” according to the UpGuard report.
Publicly Accessible
For all of UpGuard’s attempts to shed light onto Microsoft’s Power Apps problems, it was ‘persona non grata’ for not only Microsoft, but also others it notified of data leaks. Reaction to UpGuard’s data discovery of sensitive COVID-19 vaccine records being publicly exposed by the state of Indiana was typical.
Researchers notified Indiana’s Deputy Chief Technology Officer on July 2 of its publicly accessible stores of sensitive data. While data was removed by July 7, on Aug. 17 the State of Indiana issued a press release publicly acknowledging the data exposure, it also accused UpGuard of “improperly” accessing the data, claiming it was done as a ploy to drum up business from the state.
Unremunerated Support
“UpGuard has never approached Indiana, or any other company notified of a breach for business, & there is no merit to the press statement.
On the contrary, UpGuard has provided hours of unremunerated support in service of Indiana Department of Health and the people it serves,” UpGuard wrote. UpGuard also verified to the state that all the publicly accessible data it had discovered has been destroyed.
Microsoft Acts
Since UpGuard’s disclosure of the issue, Microsoft released a tool for checking Power Apps portals for leaky data. It also plans to change the product so that table permissions will be enforced by default, UpGuard said.
“To diagnose configuration issues, the Portal Checker can be used to detect lists that allow anonymous access. More importantly, newly created Power Apps portals will have table permissions enabled by default.
Tables configurations can still be changed to allow for anonymous access but defaulting to permissions enabled will greatly reduce the risk of future misconfiguration,” UpGuard wrote.
UpGuard added that it agrees with Microsoft’s stance that the issue is not a software vulnerability, rather a platform issue that “requires code changes to the product.”
Data Confidentiality
“It is a better resolution to change the product in response to observed user behaviours than to label systemic loss of data confidentiality as an end user misconfiguration, allowing the problem to persist & exposing end users to the cyber-security risk of a data breach,” UpGuard concluded.
“Ultimately, Microsoft has done the best thing they can, which is to enable table permissions by default & provided tooling to help Power Apps users self-diagnose their portals.”
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/
