more than Thousands of web applications mistakenly exposed 38 million records on the open internet, including data from a number of Covid-19 contact tracing platforms, vaccination subscriptions, job application portals and employee databases. The data included a range of sensitive information, from people’s phone numbers and home addresses to Social Security numbers and their Covid-19 vaccination status.
The accident affected major businesses and organizations, including American Airlines, Ford, transportation and logistics company JB Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. And while the data exposures have since been addressed, they show how setting up a poorly configured on a popular platform can have far-reaching consequences.
All exposed data is stored in Microsoft’s Power Apps portal service, a development platform that facilitates the creation of web or mobile applications for external use. If you need to quickly create a vaccine appointment registration site during a pandemic, for example, Power Apps portals can create both a public-facing site and a data management backend.
Starting in May, researchers from the security company Upguard . started Investigation A large number of Power Apps portals that have publicly disclosed data that should be private – including some Power apps created by Microsoft for its own purposes. No data is known to have been compromised, but the result is still significant, as it reveals an omission in the design of Power Apps portals that have since been fixed.
In addition to managing internal databases and providing a foundation for application development, the Power Apps platform also provides ready-made APIs to interact with that data. But Upguard researchers realized that when these APIs were enabled, the platform defaulted to making the corresponding data publicly available. Enabling privacy settings was a manual process. As a result, many customers have misconfigured their apps by leaving the unsafe default setting.
“We found one of these things that was misconfigured to expose the data and we thought, we’ve never heard of that before, is this a one-time thing or is it a systemic problem?” says Greg Bullock, UpGuard’s vice president of electronic research. “Because of the way the Power Apps portal product works, it’s very easy to do a quick survey. And we found out there were tons of these exposed. They were wild.”
The types of information the researchers found were extensive. The exposure to JB Hunt was job applicant data that included Social Security numbers. Microsoft itself exposed a number of databases in its Power Apps portals, including the legacy platform called Global Payroll Services, the Business Tools Support portals, and the Customer Insights portal.
The information was limited in many ways. The fact that the state of Indiana, for example, displays the Power Apps portal does not mean that all data held by the state has been disclosed. Only a subset of the contact tracing data used in the state’s Power Apps portal is included.
The misconfiguration of cloud-based databases was as serious matter Over the years, expose Huge amounts of data for improper access or theft. Major cloud companies like Amazon Web Services, Google Cloud Platform, and Microsoft Azure all have them taken steps To privately store customer data by default from the start and report potential misconfigurations, but the industry didn’t prioritize the problem until very recently.
After years of studying misconfigurations in the cloud and exposure to data, Upguard researchers were surprised to discover these issues on a platform they had never seen before. Upguard attempted to survey exposures and notify as many affected organizations as possible. However, the researchers were unable to access every entity, because there were too many, so they also disclosed the results to Microsoft. At the beginning of August, Microsoft appeared announce Power Apps portals will now default to privately store API data and other information. The company also released a tool Customers can use it to check their gateway settings. Microsoft did not respond to a request from WIRED for comment.