Microsoft Power Apps Platform Exposes Millions of Users Across Apps

Microsoft Power Apps Platform Exposes Millions of Users Across Apps

An apparent misconfiguration of the Microsoft Power Apps platform resulted in the exposure of 38 million users across thousands of web apps. 

Microsoft Power Apps is a development platform designed to ease the creation of external applications. Exposed apps include American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. Security firm Upguard began investigating Microsoft Power Apps and several publicly facing databases that should have been private in May of this year. 

The information exposed includes COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses. 

It remains unclear whether any malicious actor found and exploited the exposed data, and the misconfiguration is now closed. Still, this alleged design flaw could have put millions at risk. 

We spoke to several cybersecurity experts for more on the subject.  

Microsoft Power Apps Platform Exposes Millions of Users Across Apps

Roger Grimes

Roger Grimes is Data-Driven Defense Evangelist at KnowBe4.

“This is probably the ten-thousandth example of the same thing…data being accidentally exposed in a cloud app because of a legacy issue…in this case, overly permissive permissions. It is the most common cloud security issue. It’s funny, when the cloud-first came out and started to catch fire, most of the cybersecurity world was incredibly concerned with all the new types of threats and vulnerabilities that cloud apps would bring with the shared, multi-tenancy, use, and heavy dependency on virtualization. And for sure, there have been some occasional cloud-specific threats and attacks. But without a doubt, the most common issues that compromise cloud apps are social engineering, unpatched software, and overly permissive permissions, which are the same things that have plagued non-cloud systems for decades. I have people ask me all the time how they can keep their clouds secure, like it’s some secret sauce. But it really isn’t. It’s really mostly by focusing on the same things that were your biggest problems in the non-cloud world. So, why we’ve all been worried about some devious fast-spreading cloud worm or some master exploitation that will let every cloud tenant get compromised at once, the real news is that cloud attacks are the same old news. And anyone not paying attention to that fact is going to re-learn it the hard way. Focus on the basics.”

Erich Kron

Erich Kron is Security Awareness Advocate at KnowBe4.

Unfortunately, data exposure due to misconfigured security settings in applications, or in cloud storage containers, is far from uncommon in our modern digital world. Due to the volume of, and sensitivity of, data being collected, these misconfigurations can have serious implications, especially with systems that are internet-facing.

Fortunately, it appears that in this case data loss has not occurred, however, any time data is exposed, steps should be taken to review data access logs to ensure the data was not stolen.

It is not enough to just rely on applications to keep data safe, processes and procedures must be in place to ensure that the data remains secure and the permissions that protect the data should be audited on a regular basis. Logging of data access should be enabled, along with regular reviews of data access activity, to ensure that information is not being accessed in unexpected ways or by unauthorized people. Regular and consistent training related to cybersecurity topics of all kinds can help to develop a security-centric mindset with employees, leading to more awareness around data protection and a greater likelihood that they will spot potential security setting misconfigurations.

Chris Clements

Chris Clements is VP of Solutions Architecture at Cerberus Sentinel.

“The rush to the cloud has exposed many organizations’ inexperience with the various cloud platforms and risks from their default configurations.  Developing in a public cloud can have efficiency and scaling advantages, but it also often removes the “Safety-net” of development conducted inside internal networks protected by outside access by the perimeter firewall.  It’s critical that company’s “look before they leap” with migrations or new development on cloud platforms to fully understand the potential security gotchas or risks that they might introduce.  It’s also instructive for cloud vendors to understand the risks that their chosen default settings have on customers and change them to provide higher security by default even if it reduces upfront convenience.”

Nathanael Coffing

Nathanael Coffing is CSO and co-founder of Cloudentity.

“In this scenario, the application programming interfaces (APIs) on Microsoft Power Apps were lacking authentication and authorization which made data from these applications publicly available, so that anyone actively searching for a web app containing users’ information could have easily accessed personal data such as COVID-19 tracing forms, vaccination sign-ups and employee databases.

While the flaws discovered in the platform have been patched, it’s still evident that organizations have a long way to go in terms of proper API security. To prevent misconfigurations and similar vulnerabilities from occurring, APIs must be securely operated within Automated Identity, Authorization, Consent and governance guardrails to safeguard sensitive data. To stay ahead of cyber-criminals, this necessary level of security requires organizations to implement context-based, granular authorization for APIs, along with a Zero Trust API Authorization approach. Only then can organizations ensure all internal, customer and partner data that is stored and collected by their APIs is completely secure.”

Matt Sanders

Matt Sanders is Director of Security at LogRhythm.

“This situation is a prime example of just how easily accessible personal data can be if not guarded behind the proper controls. In this case, 38 million personal records were exposed to the public after misconfigured default settings in a development platform were left publicly accessible. Personally identifiable information (PII), which cannot be changed or updated like you can with a credit card number, such as Social Security numbers, home addresses and COVID-19 vaccination statuses were exposed to anyone who had access to the platform. This is a great opportunity for threat actors and cyber-criminals to easily get ahold of valuable, personal data and use it to their advantage. 

In order to quickly detect and neutralize security threats such as this one, it is essential for organizations to have the proper controls in place. Detection and response capabilities, authentication and access controls, and real-time monitoring and visibility are crucial to protecting valuable customer data. Large enterprises must prioritize advanced security controls in order to keep a proper eye on the personal information that is stored in their databases.”

Casey Ellis

Casey Ellis is CTO and Founder of Bugcrowd.  

“This breach highlights the importance of “making secure easy, and insecure obvious”. Insecure defaults are rarely classed as vulnerabilities in and of themselves, but the combination of the speed at which businesses have deployed technology over the past two years, the absence of feedback from those who “think bad, but do good” in the ethical hacker community, and the default itself all contributed to this particular data leak.   

The breach is a good example and timely reminder of the value of ethical hackers in both the software design phase, and for testing systems in products – especially for organizations that are dealing with sensitive information such as Covid-19 contact tracing platforms. Without the enablement of security researchers via Microsoft’s vulnerability disclosure program (VDP), the weakness would likely have remained exploitable for much longer, exposing the data to malicious adversaries.  

A VDP, such as the one used by Microsoft, allows ethical security researchers to proactively and securely disclose cybersecurity vulnerabilities to the organization before adversaries can discover and exploit them. This offers a layered security approach, as it is to be leveraged in addition to an organization’s internal security team. 

The longer a vulnerability exists undetected, the more likely adversaries are to have already accessed or obtained the data. VDPs establish an open line of communication between the community of security researchers and organizations, so researchers can proactively report such vulnerabilities and organizations can fix them – before they’re exploited by bad actors.”

Josh Rickard

Josh Rickard is Security Solutions Architect at Swimlane.

“The accidental exposure of personal records puts victims at extreme risk of data theft by threat actors to use to their malicious advantage, including identity theft and leakage of other personally identifiable information (PII), furthering the risk and exposure of those already victimized. In this case, 38 million total customers of several major companies have been left with their personal information—such as home addresses, phone numbers, COVID-19 vaccination statuses, and Social Security numbers—exposed to the public due to a misconfiguration in a common development platform used across all companies involved. These situations prove that, even after data exposures have been addressed and redressed, platform misconfigurations can have long-standing repercussions.  

It is essential for major organizations, like the ones involved in this data exposure, to centralize and automate their detection, response, and investigation protocol into a single platform. The power of security automation allows organizations to improve the level of protection for valuable customer data. Implementing real-time security automation through SOAR solutions allows for automated incident response and execution of security-related tasks without the chance of human error, further ensuring the privacy of organizations’ valued customers and their data.”

Thanks to these experts for their time and expertise. For more on similar cybersecurity topics, check out the SIEM Buyer’s Guide or the SOAR Buyer’s Guide

Ben Canner